Mon Apr 27 2020
After months of inactivity experts warn Emotet bots are becoming active again
Unfortunately, Emotet, known as one of the most dangerous malware botnets currently in existence is back with improved modules to help hide its presence on infected networks.
This comes from data researchers at a cyber security firm who yesterday Tweeted that Emotet botnets have, unfortunately, had a complete overhaul with redesigned malware and some of its modules now equipped with enhanced anti-malware evasion capabilities.
Emotet is back and better (worse) than before. After months of inactivity, all botnets are showing signs of life and utilising new evasion techniques. Botnet E2 is currently deploying credential and email stealing modules, likely in preparation for a new spam campaign.
Branches are flattened into nested loops, allowing code blocks to be places in arbitrary order, with flow controlled by a randomised state value. This allows for easy code mutation and possibly polymorphism.
It’s thought Emotet Botnets have started using a hashbusting technique so as to make sure that the malware’s file hash on each infected system is different. The Tweet also mentioned that Emotet’s code is now using a “a state machine to obfuscate control flow".
Emotet was originally just a banking Trojan, much like Trickbot but over the last few years has been written and rewritten as a malware loader.
It’s estimated that the Malware has had to be removed from nearly 1.5 million systems in Q1, 2 and 3 of 2018 and had become such a threat that last year US-CERT were forced into issuing a specific alert around Emotet malware.
Once the malware is in a system it can steal passwords from local apps and spread locally to any other machine on a network. From there it’s capable of stealing entire email threads which can be later used in spam campaigns.
The cyber actors behind Emotet are known to run their botnets as a Malware-as-a-Service (MaaS), which, as part of their ongoing scheme, allows other cyber criminals to rent access to Emotet-infected networks, allowing them to just drop in their own malware.
If you think your cyber security needs beefing up cloudThing will be happy to have a chat with you about the best steps forward.
Mon Apr 27 2020