Emotet Returns; This Time with Trickbot
Emotet, originally a banking trojan that gained notoriety in 2014 and is known for its prolonged periods of dormancy, has returned to the cybersecurity scene with advanced payloads. Moving beyond its banking trojan roots, Emotet has evolved to become a “full-service threat-delivery mechanism.” It can install a collection of malwares on a victim’s machine, including information stealers, email harvesters, self-propagation mechanism and ransomware.
Regularly going dormant for weeks or months at a time, Emotet was last seen in October of this year, when it was used to target volunteers for the Democratic National Convention. During the DNC attacks the secondary payloads delivered by Emotet were TrickBot, Qakbot, and ZLoader. Earlier last week Emotet was observed in the wild delivering the TrickBot payload once again.
In a similar story to Emotet, TrickBot was first developed in 2016 as a banking malware. Like Emotet, TrickBot has a history of evolving itself and adding new features in order to evade detection or to advance its infection capabilities. Users infected with the TrickBot trojan can expect their device to become part of a wider botnet that attackers can use to load second-stage malware. In fact, researchers have referred to TrickBot as an “ideal dropper for almost any additional malware payload.” Typical consequences of TrickBot infections are bank-account takeover, high-value wire fraud and ransomware attacks. It most recently implemented functionality designed to inspect the UEFI/BIOS firmware of targeted systems.
A new Emotet attack functionality known as “thread hijacking” has been observed by cybersecurity researchers. Thread hijacking allows threat actors to insert themselves into an existing email conversation, replying to a real email that’s sent from a target. The target then has no reason to suspect that the replied email is malicious. Some malicious emails that were captured and inspected were purported to be asking recipients to open a .zip attachment and provide a password for access. This .zip attachment would contain the malicious macro code to install Emotet and claims to be a “protected” document that requires the user to enable macros in order to open it. A dialog box would then be spawned claiming that “Word experienced an error trying to open the file.” This is done in order to give the user an explanation as to why they are unable to see the expected content, thus allowing Emotet to begin running in the background without raising suspicion.
Sources: