Emotet is a new banking trojan. It is a downloader that functions to download other trojans into the system or a network. It is the most expensive and destructive malware affecting state, tribal, local, and territorial governments, and even creating impact against the public and private sectors. The US Cert team has alerted on the consistent spread of the trojan since 2017 and also declared that it uses the most destructive way to steal various information. Emotet banking malware is delivered through Microsoft office document and attachment named as Greeting card, this helps the attacker to access the Windows API.. This banking trojan spreads quickly that can cost around $1 million to gain back the network. The hackers are constantly finding methods and techniques to help the malware stay persistent within the network.
Emotet trojan is not just responsible to drop new trojans in the system, but also manages to attack the signature-based detection by altering the register keys.
The hackers deploy efficient techniques to notify false signals when it is executed in the sandboxed environment. The Modular DLLs function entitles the banking malware to evolve and update its functionalities..
Emotet Banking Malware Infection Process
Emotet banking malware spreads through emails that contain malware links or attachments while the contents of the email would look genuine claiming to be PayPal receipts or any other banking related information which convinces the users to open the mail and the attachment in it.
When the users click on the attachment or the link or a word document enabled with macros, the trojan starts spreading rapidly across the local network.
US CERT reveals that there exists 5 spreader modules deployed by the Emotet banking malware that includes:
- Mail PassView
- Outlook scraper
- Credential enumerator
NetPass.exe – this helps to gain access to all the network passwords that are stored by the existing user on the system.
Outlook scraper – this uses phishing emails to gains access to the names and the corresponding email addresses from the targeted victim’s outlook accounts through phishing emails.
WebBrowserPassView– this entitles the malware to capture passwords saved by the browsers.
Mail PassView – It entitles to gain access to user account details and passwords for various email clients.
Credential enumerator– It deploys the use of server message block (SMB) to list out the network resources.
As soon as the infection process is complete, the malware injects the malicious code into the running processes of the system and mainly into the explorer.exe file. This helps to gather the sensitive information like location of the system, system name and it also has the capability to connect with C&C server.
The connection with C&C server would enable new infection. This ensures to get configuration data, download and run malicious files and even upload information to the C2 server.
Finally, it shares the stolen data and other confidential banking data of the infected network which leads to malfunctioning of the regular operations, loss of business and customer related files.
Therefore, considering the capabilities of the new Emotet banking trojan and its lethal activities in targeting the banking and government sectors, it is important to install a next-gen malware removal software like Comodo internet security suite to ensure complete virus prevention.