New Immense Attack of Emotet Trojan Targeted Thousands of Users

Reading Time: 4 minutes

If you ask a malware analyst to name the most dangerous and nefarious trojans, Emotet will be definitely present in the list. According to the National Cybersecurity and Communications Integration Center, the trojan “continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial governments, and the private and public sectors”. Cunning and sneaky, it is massively spread around the world. New immense 4-day long attack of Emotet was intercepted by the Comodo antimalware facilities.

The attack began with the phishing email sent to 28,294 users.

phishing email

As you can see, the email imitates DHL shipment and delivery message. The famous brand name serves as a tool to inspire trust in users. Curiosity factor also plays its role, so the chances a victim will click on the link in the email without thinking a lot are very high. And the moment a victim clicks the link, the attackers’ black magic comes to play.

Clicking on the link runs downloading a Word file. Of course, the Word file has nothing to do with any delivery — except delivery of malware. It contains a malicious macro code. As nowadays Microsoft turns off running macros by default in its products, the attackers need to trick users into running an older version. That’s why when a victim tries to open the file, the following banner appears.

trojan

If a user obeys the attackers’ request, the macro script comes to its mission — rebuilding an obfuscated shell code for the execution of cmd.exe

After rebuilding the obfuscated code, cmd.exe launches PowerShell, and the PowerShell tries to download and execute a binary from any available URL from the list:

-http://deltaengineering.users31.interdns.co.uk/KepZJXT
http://d-va.cz/ZVjGOE9
http://dveri509.ru/y1
http://www.dupke.at/rFQA
http://clearblueconsultingltd.com/VkIiR

At the time of writing, only the last one contained a binary, 984.exe.

The binary, as you may guess, is a sample of Emotet Banker Trojan.

Once executed, the binary places itself to C:\Windows\SysWOW64\montanapla.exe.

After that, it creates a service named montanapla that ensures the malicious process will launch with every startup.

Further, it tries to connect with Command&Control servers (181.142.74.233, 204.184.25.164, 79.129.120.103, 93.88.93.100) to inform the attackers about the new victim. Then the malware waits for the attackers’ commands.

Now the covert remote connection with Command&Control server is established. Emotet is waiting, ready to execute any command from the attackers. Usually, it ferrets out private data on the infected machine; banking information is a priority. But that’s not all. Emotet also is used as a means to deliver many other types of malware to the infected machines. Thus infecting with Emotet can become just the first link in the chain of the endless compromising the victim’s computer with various malware.

But Emotet is not satisfied with compromising only one PC. It tries to infect other hosts in the network. In addition, Emotet has strong abilities to hide and bypass antimalware tools. Being polymorphic, it avoids signature-based detection by antiviruses. Also, Emotet is able to detect a Virtual Machine environment and disguise itself with generating false indicators. All of this makes it a hard nut for a security software.

“In this case, we faced with a very dangerous attack with far-reaching implications”, says Fatih Orhan, The Head of Comodo Threat Research Labs. ”Obviously, such immense attacks are aimed at infecting as many users as possible but that’s only a tip of the iceberg.

Infecting victims with Emotet just triggers the devastating process. First, it infects other hosts in the network. Second, it downloads other types of malware, so the infection process of the compromised PCs becomes endless and grows exponentially. By stopping this massive attack, Comodo protected tens of thousands of users from this cunning malware and cut the killing chain of the attackers. This case is a one more confirmation that our customers are protected even from the most dangerous and powerful attacks”.

Live secure with Comodo!

The heatmap and IPs used in the attack

The attack was conducted from three Cyprus-based IPs and domain @tekdiyar.com.tr. It started on July 23, 2018 at 14:17:55 UTC and ended on July 27, 2018 at 01:06:00.
The attackers sent 28.294 phishing emails.