July 25, 2017 By Larry Loeb 2 min read

Researchers at Fidelis Cybersecurity recently observed a new variant of the Emotet Trojan. According to the company’s Threatgeek blog, this variant contains a feature that can help the malware propagate over internal networks.

SecurityWeek noted that the success of this network-spreading feature may encourage other threat actors to use similar components in their malware.

Emotet Trojan Tracks Geographic Spread of Malware

Previously, Emotet was used as a banking Trojan that targeted users in Europe and the U.S. But Fidelis noticed that in recent attacks, a new variant served as a downloader for other Trojans based on the victim’s geographic location.

Here’s how it works: The spreader enumerates a network’s resources and seeks out shares to which it can write a file and create a remote service, which is called Windows Defender System Service. According to the security firm, for any shared password-protected resource the malware finds on the network, it tries to brute-force user and administrator accounts for IPC$.

After a few checks, the Trojan attempts to connect to the IPC$ share. If it’s unable to connect, it tries to derive the normal user accounts using NetUserEnum. Using the derived list of usernames, it then attempts to brute-force the passwords for each user with an onboard password list in a dictionary-style attack. If this works, it forms the basis of what actually gets loaded into the remote computer.

The remote service is what actually writes the malware to the shared resource. It then executes it, making a callout to a hardcoded IP. Because the victim’s computer name is used in the POST request data, malware actors can quickly track statistics on locations to which the Trojan has spread.

Spreader Feature Is Distinct From Emotet Malware

Researchers drew attention to differences between Emotet packaging, which is usually encrypted, as well as the spreader feature. These differences suggest that the spreader may be a test package produced by a specific actor rather than Emotet itself.

In any case, it is more than prudent to stop this threat at the injection point, which is a phishing email. To stop the spread of Trojans, practice caution by not opening unverified emails or attachments. These standard defenses that security professionals recommend may end up saving the user from financial harm.

More from

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

4 ways to bring cybersecurity into your community

4 min read - It’s easy to focus on technology when talking about cybersecurity. However, the best prevention measures rely on the education of those who use technology. Organizations training their employees is the first step. But the industry needs to expand the concept of a culture of cybersecurity and take it from where it currently stands as an organizational responsibility to a global perspective.When every person who uses technology — for work, personal use and school — views cybersecurity as their responsibility, it…

How red teaming helps safeguard the infrastructure behind AI models

4 min read - Artificial intelligence (AI) is now squarely on the frontlines of information security. However, as is often the case when the pace of technological innovation is very rapid, security often ends up being a secondary consideration. This is increasingly evident from the ad-hoc nature of many implementations, where organizations lack a clear strategy for responsible AI use.Attack surfaces aren’t just expanding due to risks and vulnerabilities in AI models themselves but also in the underlying infrastructure that supports them. Many foundation…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today