November 16, 2017 By Douglas Bonderud 2 min read

Banking Trojans are now commonplace. Cybercriminals rely on them because they generate reliable profits. Although users are getting wise to basic techniques, new variants ensure that attackers always have another avenue of compromise.

Consider the ongoing threat of Emotet, which has been making the rounds since 2014. According to Minerva, its latest campaign includes a host of upgrades that make it hard to detect and even harder to stop. The silver lining? Current versions of the code also include a loophole users can leverage to keep their systems clear.

Emotet’s Threat Evolution

The Trojan made a name for itself in 2014 by intercepting network activity and stealing data via DLL injections. Later the same year, the Trojan was upgraded with modular capabilities and code, allowing it to initiate automated banking transfers from victims’ accounts to command-and-control (C&C) servers. Emotet’s authors also ensured that Russian-speaking users were left alone.

By 2015, it included the ability to detect if it was running on a virtual machine used for security testing and contacted fake C&C servers to mislead researchers.

2017 has been a busy year for this Trojan. It gained features including:

  • Sandbox evasion — Download URLs are encrypted, making it harder for security teams to grab malware samples.
  • Exploit inclusion — The Trojan was first to use EternalBlue/DOUBLEPULSAR as part of an organized attack campaign.
  • Improved modules — Recently added modules now steal browser and email credentials.
  • Machine mining — New code lets the malware grab details about victims’ machines, including process names and specifications, and then decides how to proceed.

Now Emotet is staging yet another comeback, this time using a new infection vector: emails that contain a link to malicious documents, rather than attachments. This lets the malware evade standard email security solutions. If users download the malicious file and enable Word macros, the code executes a batch script and PowerShell command with an encrypted script, denoted by an “iex” instruction.

When that proved too obvious, Emotet evolved in less than a week to obscure the encrypted string. Once the Trojan gains a foothold, it may compromise financial and email account information and siphon money directly from bank accounts.

Too Smart for Its Own Good?

Emotet isn’t just popular in isolation; other Trojans such as IcedID also leverage the tool as a distribution mechanism. It makes sense — the rapid pace of evolution makes this malware almost impossible to stop.

But as noted by Help Net Security, work done by the code’s creators to detect sandbox machines and avoid security monitoring has created an opportunity for users.

It works like this: Emotet carries a list of common sandbox-related usernames and hostnames — such as TEQUILABOOMBOOM, admin or SystemIT. If any of these names are detected on user systems, the malware won’t run. In addition, it looks for two file clusters: C:\a\foobar.bmp, C:\a\foobar.gif, and C:\a\foobar.doc; or C:\email.doc, C:\email.htm, C:\123\email.doc and C:\123\email.docx.

If all three files from the first cluster or all four files from the second are detected, the malware assumes it’s being analyzed and does not execute. The result is a kind of cybercriminal catch-22: Running on sandboxes opens the malware up to analysis and detection. Avoiding detection by using highly specific criteria, meanwhile, provides a way for users to sidestep system compromise.

Bottom line? Emotet has effectively outsmarted itself. By creating new usernames or adding file clusters, users can force the Trojan to abort installation. But given its history of rapid iteration and improvement, current tactics are workarounds, not total solutions. Expect Emotet to evolve again.

More from

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

What should an AI ethics governance framework look like?

4 min read - While the race to achieve generative AI intensifies, the ethical debate surrounding the technology also continues to heat up. And the stakes keep getting higher.As per Gartner, “Organizations are responsible for ensuring that AI projects they develop, deploy or use do not have negative ethical consequences.” Meanwhile, 79% of executives say AI ethics is important to their enterprise-wide AI approach, but less than 25% have operationalized ethics governance principles.AI is also high on the list of United States government concerns.…

Hive0051 goes all in with a triple threat

13 min read - As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051's use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today