Banking Trojan Emotet
Banking Trojan Emotet
The Emotet Trojan designed to steal banking credentials and other sensitive information and is most often propagated by way of phishing emails containing a crafted document purporting to be invoices or other business communications or links to similar Reportedly, a surge in the Emotet activity is observed involves the use of a spam botnet, which results in its rapid distribution via email thus distributing IcedID, TRICKBOT etc. Emotet can also spread via a network propagation module that brute forces its way into an account domain using a dictionary attack. Emotet’s use of compromised URLs as C&C servers likely helped it spread as well. Once Emotet has infected a host, a malicious file that is part of the malware is able to intercept, log, and save outgoing network traffic via a web browser leading to sensitive data being compiled to access the victim's bank account. According to reports, The Trojan may download the following modules to carry out various tasks:
Distributed denial of service (DDoS) module
Email client infostealer module
Browser infostealer module
Personal Storage Table (PST) infostealer module
Monitor Connection attempts towards the listed domains /IPs. The list may include compromised domains /IP resources as well. Blocking the domains / IPs is solely the recipient's responsibility after diligently verifying them without impacting the operations. Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.
Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints. Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running. Restrict the execution of PowerShell /WSCRIPT in an enterprise environment. Ensure installation and use of the latest version (currently v5.0) of PowerShell with enhanced logging enabled script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.