Learn about Zero Trust Architecture
Impenetrable cybersecurity without sacrificing usability
Gain detailed visibility into all your endpoints activities
Harden applications and hardware environments
Immediate and continuous response to incidents
Close the window of time your data could be exposed
Get your Comodo solutions setup, deployed or optimized
Control access to malicious websites
Defend from any internet based threats
Stop email threats before it enters your inbox
Preserve and protect your sensitive data
Keep your website running fast and malware free
Add encryption to your websites
Automated certificate mgmt. platform
Secure private intranet environments
Digital signature solutions for cloud apps
Encrypt emails for senders and recipients
Stay compliant with PCI DSS
Trusted authentication for IoT devices
Francisco Partners a leading technology-focused private equity fund, has acquired a majority stake in Comodo’s certificate authority business. Newly renamed from Comodo CA Limited to Sectigo Limited. Privacy Policies, Trademarks, Patents and Terms & Conditions are available on Sectigo Limited’s web site.
Meet the people behind the direction for Comodo
Get the latest news about Comodo
People are the key to achievement and prosperity
Stay up to date with our on-demand webinars
Worldwide: Sales, Support and General Inquiries
Schedule a live demonstration of our solutions
Need immediate help? Call 1-888-551-1531
Instantly removes viruses to keep your PC virus free
Experience true mobile security on your mobile apple devices
Secure Internet Browser based on Chrome
Chrome browser internet security extension
Submit a ticket to our support team
Share any product bugs or security flaws
Collaborate with research experts on data sets
Valkyrie Threat Intelligence Plugins
Valkyrie Threat Intelligence APIs
If you ask a malware analyst to name the most dangerous and nefarious trojans, Emotet will be definitely present in the list. According to the National Cybersecurity and Communications Integration Center, the trojan “continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial governments, and the private and public sectors”. Cunning and sneaky, it is massively spread around the world. New immense 4-day long attack of Emotet was intercepted by the Comodo antimalware facilities.
The attack began with the phishing email sent to 28,294 users.
As you can see, the email imitates DHL shipment and delivery message. The famous brand name serves as a tool to inspire trust in users. Curiosity factor also plays its role, so the chances a victim will click on the link in the email without thinking a lot are very high. And the moment a victim clicks the link, the attackers’ black magic comes to play.
Clicking on the link runs downloading a Word file. Of course, the Word file has nothing to do with any delivery — except delivery of malware. It contains a malicious macro code. As nowadays Microsoft turns off running macros by default in its products, the attackers need to trick users into running an older version. That’s why when a victim tries to open the file, the following banner appears.
If a user obeys the attackers’ request, the macro script comes to its mission — rebuilding an obfuscated shell code for the execution of cmd.exe
After rebuilding the obfuscated code, cmd.exe launches PowerShell, and the PowerShell tries to download and execute a binary from any available URL from the list:
At the time of writing, only the last one contained a binary, 984.exe.
The binary, as you may guess, is a sample of Emotet Banker Trojan.
Once executed, the binary places itself to C:\Windows\SysWOW64\montanapla.exe.
After that, it creates a service named montanapla that ensures the malicious process will launch with every startup.
Further, it tries to connect with Command&Control servers (126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11) to inform the attackers about the new victim. Then the malware waits for the attackers’ commands.
Now the covert remote connection with Command&Control server is established. Emotet is waiting, ready to execute any command from the attackers. Usually, it ferrets out private data on the infected machine; banking information is a priority. But that’s not all. Emotet also is used as a means to deliver many other types of malware to the infected machines. Thus infecting with Emotet can become just the first link in the chain of the endless compromising the victim’s computer with various malware.
But Emotet is not satisfied with compromising only one PC. It tries to infect other hosts in the network. In addition, Emotet has strong abilities to hide and bypass antimalware tools. Being polymorphic, it avoids signature-based detection by antiviruses. Also, Emotet is able to detect a Virtual Machine environment and disguise itself with generating false indicators. All of this makes it a hard nut for a security software.
“In this case, we faced with a very dangerous attack with far-reaching implications”, says Fatih Orhan, The Head of Comodo Threat Research Labs. ”Obviously, such immense attacks are aimed at infecting as many users as possible but that’s only a tip of the iceberg.
Infecting victims with Emotet just triggers the devastating process. First, it infects other hosts in the network. Second, it downloads other types of malware, so the infection process of the compromised PCs becomes endless and grows exponentially. By stopping this massive attack, Comodo protected tens of thousands of users from this cunning malware and cut the killing chain of the attackers. This case is a one more confirmation that our customers are protected even from the most dangerous and powerful attacks”.
Live secure with Comodo!
The heatmap and IPs used in the attack
The attack was conducted from three Cyprus-based IPs and domain @tekdiyar.com.tr. It started on July 23, 2018 at 14:17:55 UTC and ended on July 27, 2018 at 01:06:00.
The attackers sent 28.294 phishing emails.
Best Antivirus Software
Tags: Cyber Security,Trojan,malware
Reading Time: 4 minutes Increased dependency on computers and access to data makes an organization more vulnerable to cybersecurity threats. With the increase in cyber-criminals and cyber-attacks, many companies today are looking for greater protection of their decentralized computing work environments from their Managed Service Providers (MSPs). As a result, MSPs need to deliver firewall solutions that are designed…
Reading Time: 3 minutes Rapid technological growth and increasing digitalization in all aspects of life around the world have increased the value of ensuring cyber-security at all levels. This is increasingly true for EU member states and the organizations that are based in or operate from these countries. The number of cyber-attacks targeting EU member states has risen. The…
Reading Time: 3 minutes Disruptions are often unforeseen. This could be a catastrophic event like a hurricane, a fire, or an earthquake. Disruptions, however, can also come in other forms such as that of a pandemic. This means that a building doesn’t necessarily have to be demolished or lives have to be lost for an unforeseen event to completely…
Sign up to our cyber security newsletter
Comodo Cybersecurity would like to keep in touch with you about cybersecurity issues, as well as products and services available. Please sign up to receive occasional communications. As a cybersecurity company, we take your privacy and security very seriously and have strong safeguards in place to protect your information.
See how your organization scores against cybersecurity threats