Recently, Security Analysts have noticed that Emotet changes its tactics again which means later it already modified its tactics. This post is all about the evolution of Emotet. If you want to get familiar with all aspects of Emotet then reading this post will be beneficial for you.
Get Familiar With Evolution of Emotet
Being a System user, we all are familiar with the fact that Emotet malware has been active over the Internet since 2014. It evolves and develops each year to incorporate the behavior and new capabilities. Emotet malware is mainly known as a banking malware because it has ability to intercept the network activity in order to steal users crucial data by injecting the malicious DLL file into the sensitive processes. The con artists of such a malware keeps evolving and later it uses a technology to steal money from the victim’s account by starting the automated transfers.
Featured That Emotet Has Added In 2015
In January 2015, Emotet malware has reappeared and this time creators of Emotet enhances the original malware with several evasion methods including :
- In the allocated memory, key elements of Emotet were decrypted.
- Contacts with a set of fake Command & Control server.
- Executes some of it’s malicious processes including vmacthlp.exe, vboxtray.exe, vmtoolsd.exe and vboxservice.exe.
Tactics That Evolved By Emotet In 2017
Later, it has evolved in 2017. That year, Emotet appeared as a second comeback that added more and more modules and tactics including :
- Distributed via Exploits – Emotet malware is regarded as the first malware that endorse ETERNALBLUE/DOUBLEPULSAR exploit kit as a part of the organized traditional cyber-crime campaign. With the integration, it has enabled Emotet to infect the networks.
- The Sandbox evasion – The Emotet malware has opted this evasion tactics to avoid the detection of URLs that stored in the locked list.
- Distributed via Bruteforce – The evolved Emotet malware has added a new way to compromise more and more Windows PC. The con artist or developer of Emotet has added an ability to the account of brute force Active Directory domain with the dictionary attack.
- Obfuscated Code – The obfuscation level of Emotet gets improved and added junk data to slows down PC. It hides that functions of in array of hashes so that it would be used only in the execution time.
- File Encryption – At earlier, the communication was locked using the RC4 but now in that version, Emotet malware switched to the 128-bit AES in the CBC mode.
- Collection of Victim’s Machine Detail – Emotet malware is known for collecting detail about the user’s machine including their IP addresses, processes name, System as well as network configuration details.
- C2 protocol, new modules, C2 communication method and many more.
Newer Variant of Emotet Has Emerged In 2018
Despite of all, In May, 2018 Emotet malware has changes its way and added more features to it. The latest variant of Emotet malware has overwhelmed web to infect them using the malicious or spam email messages that prompt System user to open the link that lead to MS Word document. Bear in your mind that the suspicious document is not attached to spam unlike other campaigns. It is typically hosted on the remote web server to bypass all security measures.
The suspicious or malicious document is mainly tricked System users into downloading it and ask affected users to enable the execution of macros using social engineering tactics. If victim enables the macros then document runs batch script and the last row runs the file-less PowerShell command along with the locked payload.