Highlights:
- Researchers observe signs of the Emotet banking Trojan to come into action after a pause
- As per Herjavec Group, the new modules are speculated to be initial steps toward the launch of a new phishing campaign
- The possible malware is speculated to leave victims with the fear of hashbusting implementations that are more dangerous compared to the older version
Security experts and researchers have observed signs that tell the Emotet banking Trojan might get active post its latest pause by activating the newly enhanced credential and email heist modules.
More about Emotet
Last active in January 2020, the Herjavec Group is of the opinion that new modules are being positioned as the primary steps toward the launch of a new and more dangerous phishing campaign.
Analysts also state that if and when these modules are released, the victims will have a tough time combating the antimalware evasion and also will have to deal with a hashbusting functioning that adds to the danger quotient in comparison to the older versions. To add to the concern, hashbusting makes sure that the malware operates with a different hash on every system it infects, making hash-based detections useless.
A few integrated technical changes make use of reworked malware code to incorporate the use of a state of a machine to confuse the control flow and branches of code being flattened into nested loops that further allow code blocks to be in any order and operationally execute in order by the state machine.
The last series of attacks by Emotet kick-started on January 13, 2020, targeting the US, and this took place after a three-week break in the activity. Apparently, that was the time when most of the phishing emails carried business-related Microsoft Word attachments, such as proof-of-delivery documents and agreements. The users who clicked on the attachments were affected by the malicious macros embedded and later were infected with Emotet.
As of now, it is not known how the speculated attack might operate, but Herjavec Group recommends the following precautions:
- It is recommended to block email attachments that are most commonly associated with malware. For example, .dll and .exe.
- It is a wise move to block email attachments such as zip files that cannot be scanned by antivirus.
- The rule of thumb to avoid such phishing attacks is to action Group Policy Objective and strong firewall rule.
- Have in place an antivirus program and make sure to deploy a formalized patch management process.
- It is strongly recommended to implement filters at the email gateway as a practice to block suspicious IP addresses.