Emotet, a nasty botnet and popularmalware family, has proven increasingly dangerous over the past year as its operators adopt new tactics. Now armed with the ability to drop additional payloads and arriving via business email compromise (BEC), it’s become a major threat to organizations.
Security watchers are wary of Emotet, which was among the first botnets to spread banking Trojans laterally within target organizations, making removal difficult. After ramping up in early 2018, Emotet increased again during the holiday season. Through the start of 2019, the malware continued to spread.
Read more about the rise and rise of the Emotet botnet on DarkReading.
Phishing and malspam campaigns are in high gear for the holidays and a new campaign pretending to be an Amazon order confirmation is particularly dangerous as people shop for holiday gifts.
In a new malspam campaign discovered by email security company EdgeWave, attackers are sending email disguised as very convincing Amazon order confirmations. These fake order confirmations come with a malicious Word document that delivers the Emotet banking Trojan if the user opens the document and enables the content.
ESET researchers have unearthed a new Android Trojan that tricks users into logging into PayPal, then takes over and mimics the user’s clicks to send money to the attacker’s PayPal address.
The heist won’t go unnoticed by the victim if they are looking at the phone screen, but they will also be unable to do anything to stop the transaction from being executed as it all happens in a matter of seconds. The only thing that will prevent the theft is if the user has insufficient PayPal balance and no payment card connected to the account.
Authors of the DanaBot banking trojan updated the malware with new features that enabled it to harvest email addresses and send out spam straight from the victim’s mailbox.
Emotet, the seemingly ubiquitous banking trojan, has turned up again after a small hiatus, this time as the anchor in a Thanksgiving-themed campaign that cranked up in the U.S. this week. It has also upgraded its capabilities with new tactics and modules, which has boosted its efficacy, according to researchers.
Looking to take advantage of a nation preparing for a collective food coma, the cybercriminals behind the campaign have so far sent out 27,000 or so messages daily, with verbiage that marks a departure from the standard financial themes regularly seen used as phishing lures by the group.
Read more about Emotet’s thanksgiving campaign on Threatpost.
As the Black Friday post-Thanksgiving buying bonanza looms, many are opting to stay at home and take advantage of the same deals online. But they may get an unwanted extra with their purchase. Banking trojan malware families Betabot, Panda, Gozi, Zeus, Chthonic, TinyNuke, Gootkit2, IcedID and SpyEye are targeting online shoppers.
According to Kaspersky Lab, these and other banking trojans have spiked in detections lately, and are hunting for user credentials such as user names, passwords, payment-card numbers and phone numbers. At least 14 malware families have been found actively targeting a total of 67 consumer e-commerce sites between them, the firm said.
Read more about the findings of the Kaspersky Lab analysis on Threatpost.
A large-scale spam campaign has launched, spreading the Emotet malware. Emotet is technically a banking trojan, but it’s most often used as a dropper for a variety of secondary payloads, with credential-stealing, network propagation, sensitive information harvestin and other capabilities.
Recently, Emotet added a new module to up the ante on its ability to harvest victim email account credentials and contact lists: It can now exfiltrate entire email contents stretching back 180 days. Just after that discovery, ESET noticed the latest campaign ramping up last week, following a bit of a lull for the malware’s activity. The spam is well-crafted, and contains malicious links or Microsoft Word and PDF attachments disguised as invoices, bank account alerts or payroll reports.
Read more about the new Emotet spam campaign on Threatpost.
Two ongoing malware distribution campaigns are sending banking Trojans to customers of Brazilian financial institutions, report Cisco Talos researchers, who also identified a spam botnet delivering malicious emails as part of the infection process.
Two separate infection processes were used in these campaigns between late October and early November, they say. The campaigns use different file types for the download and infection processes, but both target Brazilian firms. Researchers believe the attacker is from South America, where it would be easiest to use victims’ credentials to carry out fraud. Both campaigns eventually deliver banking Trojans. Researchers also found additional tools and malware hosted in an Amazon S3 bucket.
Read more about these banking malware campaigns on DarkReading.
A new member of the GPlayed Trojan has been discovered which has been designed to attack customers of a Russian-owned state bank. Earlier this month, researchers from Cisco Talos revealed GPlayed, an “extremely powerful” Trojan which pretends to be a Google service when infecting Android mobile devices.
At the time of discovery, the researchers said they believed the malware was still in development due to clues in the code — but this did not detract from the fact the Trojan was extremely flexible, used obfuscation, and contained strong destructive and data-stealing capabilities. It has now been found that GPlayed is not the only member of the new Trojan family. Talos said that the malware’s “younger brother” has also appeared on the radar.
Read more about the the GPlayed Trojan’s “younger brother” on ZDNet.
A new PowerShell downloader dubbed sLoad is making the rounds, sporting impressive reconnaissance tactics and a penchant for geofencing, which indicate increasing sophistication when it comes to targeting efforts.
First spotted in May 2018, sLoad typically delivers the Ramnit banking trojan (but has been seen fetching Gootkit, DarkVNC, Ursnif and PsiXBot as well). The notable aspect is the lengths to which it will go to learn about a target before delivering its payload. According to a Proofpoint analysis, the malware gathers extensive information about the infected system.
Read more about the sLoad banking Trojan downloader on Threatpost.