November 16, 2017 By Douglas Bonderud 2 min read

Banking Trojans are now commonplace. Cybercriminals rely on them because they generate reliable profits. Although users are getting wise to basic techniques, new variants ensure that attackers always have another avenue of compromise.

Consider the ongoing threat of Emotet, which has been making the rounds since 2014. According to Minerva, its latest campaign includes a host of upgrades that make it hard to detect and even harder to stop. The silver lining? Current versions of the code also include a loophole users can leverage to keep their systems clear.

Emotet’s Threat Evolution

The Trojan made a name for itself in 2014 by intercepting network activity and stealing data via DLL injections. Later the same year, the Trojan was upgraded with modular capabilities and code, allowing it to initiate automated banking transfers from victims’ accounts to command-and-control (C&C) servers. Emotet’s authors also ensured that Russian-speaking users were left alone.

By 2015, it included the ability to detect if it was running on a virtual machine used for security testing and contacted fake C&C servers to mislead researchers.

2017 has been a busy year for this Trojan. It gained features including:

  • Sandbox evasion — Download URLs are encrypted, making it harder for security teams to grab malware samples.
  • Exploit inclusion — The Trojan was first to use EternalBlue/DOUBLEPULSAR as part of an organized attack campaign.
  • Improved modules — Recently added modules now steal browser and email credentials.
  • Machine mining — New code lets the malware grab details about victims’ machines, including process names and specifications, and then decides how to proceed.

Now Emotet is staging yet another comeback, this time using a new infection vector: emails that contain a link to malicious documents, rather than attachments. This lets the malware evade standard email security solutions. If users download the malicious file and enable Word macros, the code executes a batch script and PowerShell command with an encrypted script, denoted by an “iex” instruction.

When that proved too obvious, Emotet evolved in less than a week to obscure the encrypted string. Once the Trojan gains a foothold, it may compromise financial and email account information and siphon money directly from bank accounts.

Too Smart for Its Own Good?

Emotet isn’t just popular in isolation; other Trojans such as IcedID also leverage the tool as a distribution mechanism. It makes sense — the rapid pace of evolution makes this malware almost impossible to stop.

But as noted by Help Net Security, work done by the code’s creators to detect sandbox machines and avoid security monitoring has created an opportunity for users.

It works like this: Emotet carries a list of common sandbox-related usernames and hostnames — such as TEQUILABOOMBOOM, admin or SystemIT. If any of these names are detected on user systems, the malware won’t run. In addition, it looks for two file clusters: C:\a\foobar.bmp, C:\a\foobar.gif, and C:\a\foobar.doc; or C:\email.doc, C:\email.htm, C:\123\email.doc and C:\123\email.docx.

If all three files from the first cluster or all four files from the second are detected, the malware assumes it’s being analyzed and does not execute. The result is a kind of cybercriminal catch-22: Running on sandboxes opens the malware up to analysis and detection. Avoiding detection by using highly specific criteria, meanwhile, provides a way for users to sidestep system compromise.

Bottom line? Emotet has effectively outsmarted itself. By creating new usernames or adding file clusters, users can force the Trojan to abort installation. But given its history of rapid iteration and improvement, current tactics are workarounds, not total solutions. Expect Emotet to evolve again.

More from

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today