Emotet Banking Trojan Family Re-emerges, Taps Malicious PDF/Doc Files to Spread

Emotet Banking Trojan Family Re-emerges Taps Malicious PDF Doc Files to Spread

The Emotet family of banking malware has made an enormous resurgence for a couple of weeks now, targeting bank customers using a new batch of trojan-infested email spam. The new strain is now capable of scanning the victim’s user account, including the archive emails containing banking information if any. As per ESET, a mainstream antivirus vendor, Emotet’s new variant has been released to the wild en-mass by its authors in order to make headlines.

According to our telemetry, the latest Emotet activity was launched on November 5, 2018, following a period of low activity. Breaking those detections down by country, this latest Emotet campaign appears to be most active in the Americas, the UK, Turkey, and South Africa. In the November 2018 campaign, Emotet makes use of malicious Word and PDF attachments posing as invoices, payment notifications, bank account alerts, etc., seemingly coming from legitimate organizations. Alternately, the emails contain malicious links instead of attachments. The email subjects used in the campaign suggest a targeting of English and German-speaking users,” explained ESET in their official blog site.

Sample emails containing the malicious pdf files containing Emotet’s payload were submitted to ESET. One of which was a specially crafted email pretending itself as an official Bank of America email, with official logo of the said bank and a very convincing social engineering appeal to the bank’s customer. The moment the user opens the PDF file attached in the malicious email, the computer will start downloading the harmful payload in the background without the user knowing. Same way goes with its .doc malicious attachment counterpart.

The compromise scenario in this November 2018 campaign starts with the victim opening a malicious Word or PDF file attached to a spam email seemingly coming from a legitimate and familiar organization. (When) the victim enables macros in Word or clicks on the link in the PDF. The Emotet payload is subsequently installed and launched, establishes persistence on the computer and reports the successful compromise to its C&C server. In turn, it receives instructions on which attack modules and secondary payloads to download. The modules extend the initial payload’s functionality with one or more of credential-stealing, network propagation, sensitive information harvesting, port forwarding, and other capabilities,” added ESET.

ESET has publicly published the Emotet’s and its companion modules’ official SHA-1 hashes, for those system administrators who want to further inspect the code’s operation:

Main Emotet Module:

SHA-1

  • 51AAA2F3D967E80F4C0D8A86D39BF16FED626AEF
  • EA51627AF1F08D231D7939DC4BA0963ED4C6025F
  • 3438C75C989E83F23AFE6B19EF7BEF0F46A007CF
  • 00D5682C1A67DA31929E80F57CA26660FDEEF0AF

Modules:

  • 0E853B468E6CE173839C76796F140FB42555F46B
  • 91DD70BBFF84D600142BA32C511D5B76BF7E351
  • BACF1A0AD9EA9843105052A87BFA03E0548D2CDD
  • A560E7FF75DC25C853BB6BB286D8353FE575E8ED
  • 12150DEE07E7401E0707ABC13DB0E74914699AB4
  • E711010E087885001B6755FF5E4DF1E4B9B46508

TrickBot Payload:

  • B84BDB8F039B0AD9AE07E1632F72A6A5E86F37A1
  • 9E111A643BACA9E2D654EEF9868D1F5A3F9AF767

IcedId Payload:

  • 0618F522A7F4FE9E7FADCD4FBBECF36E045E22E3

ESET Research team also publicly revealed the Command and Control Servers of Emotet, as of Nov 9, 2018:

  • 187.163.174[.]149:8080
  • 70.60.50[.]60:8080
  • 207.255.59[.]231:443
  • 50.21.147[.]8:8090
  • 118.69.186[.]155:8080
  • 216.176.21[.]143:80
  • 5.32.65[.]50:8080
  • 96.246.206[.]16:80
  • 187.163.49[.]123:8090
  • 187.207.72[.]201:443
  • 210.2.86[.]72:8080
  • 37.120.175[.]15:80
  • 77.44.98[.]67:8080
  • 49.212.135[.]76:443
  • 216.251.1[.]1:80
  • 189.130.50[.]85:80
  • 159.65.76[.]245:443
  • 192.155.90[.]90:7080
  • 210.2.86[.]94:8080
  • 198.199.185[.]25:443
  • 23.254.203[.]51:8080
  • 67.237.41[.]34:8443
  • 148.69.94[.]166:50000
  • 107.10.139[.]119:443
  • 186.15.60[.]167:443
  • 133.242.208[.]183:8080
  • 181.229.155[.]11:80
  • 69.198.17[.]20:8080
  • 5.9.128[.]163:8080
  • 104.5.49[.]54:8443
  • 139.59.242[.]76:8080
  • 181.27.126[.]228:990
  • 165.227.213[.]173:8080

Related Resources:

Virus Removal App

Kevin Jones951 Posts

Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.

0 Comments

Leave a Comment

Login

Welcome! Login in to your account

Remember me Lost your password?

Don't have account. Register

Lost Password
Register