A BANKING TROJAN dubbed Emotet, first uncovered in 2014, has returned and is targeting Brits with phishing emails.
The new variant of the Emotet Trojan appears to be targeting the UK, with more than three-quarters of attacks reported in Blighty, according to security software company Zscaler.
The Trojan is spread via phishing emails and, if activated, steals banking credentials and email addresses. It is commonly distributed through documents sent via email, with what Zscaler describes as highly obfuscated macros that serve payloads to download and install the Trojan onto a victim's machine.
Furthermore, warns Zscaler, there have also been reports that the Trojan can spread via network exploits, presumably using the US National Security Agency exploits 'showcased' in the recent WannaCry and NotPetya malware outbreaks.
However, these reports have yet to be confirmed and Zscaler admits that such features in the malware haven't yet been identified.
Emotet first emerged in 2014 when it wreaked havoc in the US and Europe, according to Zscaler, but has re-emerged this year, with the first reports coming in April 2017.
"Emotet is a multi-component malware which specialises in a multitude of nefarious activities, including stealing credentials from browsers and mail clients, banking theft via Man-in-the-Browser attack, email harvesting and propagation through spam emails from infected systems," warns Zscaler in its report.
The code is encrypted to obfuscate the attack from security software "[It] is decrypted in the memory using a custom algorithm involving ‘Base-64 decode' and ‘XOR'. A new process is created in suspended mode and the decrypted Emotet binary is written in the address space of this process".
A new process and system service is created in Windows and, once the service is started, a Windows API is invoked to periodically trigger core malicious code that is responsible for communication with the command and control (C&C) servers, send collected information, and await commands from the server. µ
Flaw allows hackers to extract plaintext passwords from the Keychain
Firm explains how to properly build websites for its upcoming flagship
Is restoring from backup really the better than prevention?
Allowed anyone to pinpoint locations visited by customers of SVR Tracking