Cryptolaemus Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Fri, 31 May 2024 00:22:25 +0000 en-US hourly 1 https://wordpress.org/?v=98765 200474804 Emotet Botnet Resumed Activity after Five Months of Inactivity https://gridinsoft.com/blogs/emotet-botnet-resumed-activity/ https://gridinsoft.com/blogs/emotet-botnet-resumed-activity/#respond Thu, 03 Nov 2022 14:54:07 +0000 https://gridinsoft.com/blogs/?p=11544 The Emotet botnet resumed activity and began sending out malicious spam again after a five-month break, during which the malware practically “lay low.” So far, Emotet is not delivering additional payloads to the infected devices of victims, so it is not yet possible to say exactly what this malicious campaign will lead to. Let me… Continue reading Emotet Botnet Resumed Activity after Five Months of Inactivity

The post Emotet Botnet Resumed Activity after Five Months of Inactivity appeared first on Gridinsoft Blog.

]]>
The Emotet botnet resumed activity and began sending out malicious spam again after a five-month break, during which the malware practically “lay low.”

So far, Emotet is not delivering additional payloads to the infected devices of victims, so it is not yet possible to say exactly what this malicious campaign will lead to.

Let me remind you that we also wrote that Microsoft patches Windows AppX Installer vulnerability that spreads Emotet malware.

One of the first to notice the resumption of Emotet activity was experts from the Cryptolaemus group, which includes more than 20 information security specialists from around the world, who in 2018 united for a common goal – to fight Emotet. According to them, the malware, which had been idle since June 13, 2022, suddenly resumed its work in the early morning of November 2 and began sending spam around the world.

Proofpoint expert and Cryptolaemus contributor Tommy Madjar report that a new spam campaign is using previously stolen email threads to spread malicious Excel attachments. Among the samples already uploaded to VirusTotal, you can find attachments aimed at users from all over the world, written in different languages and with different file names. Malicious documents are disguised as various invoices, scans, electronic forms, etc.

Bleeping Computer journalists list the names of some of the malicious honeypot files:

  1. Scan_20220211_77219.xls
  2. fattura novembre 2022.xls
  3. BFE-011122 XNIZ-021122.xls
  4. FH-1612 report.xls
  5. 2022-11-02_1739.xls
  6. Fattura 2022 – IT 00225.xls
  7. RHU-011122 OOON-021122.xls
  8. Electronic form.xls
  9. Rechnungs-Details.xls
  10. Gmail_2022-02-11_1621.xls
  11. gescanntes-Document 2022.02.11_1028.xls

The researchers note that this Emotet campaign features a new template for Excel attachments, which contains revised instructions for users to bypass Microsoft Protected View.

Emotet botnet resumed activity
A malicious Excel file tells the user how to proceed

The fact is that Microsoft adds a special Mark-of-the-Web (MoTW) flag to files downloaded from the Internet (including email attachments). And when a user opens a Microsoft Office document containing the MoTW flag, it opens in Protected View mode, which prevents the execution of macros that install malware.

Emotet Botnet Resumed Activity after Five Months of Inactivity

Therefore, Emotet operators now instruct users to copy the file to the trusted Templates folders, as this will bypass Protected View restrictions (even for a file marked MoTW).

If a malicious attachment is launched from the Templates folder, it immediately executes macros that download the Emotet malware to the victim’s system. The malware is loaded as a DLL into several folders with random names in %UserProfile%\AppData\Local, and then the macros run the DLL using regsvr32.exe.

The malware will then run in the background, connecting to the attackers’ control server to receive further instructions or install additional payloads. Let me remind you that earlier Emotet distributed the TrickBot Trojan, and was also caught installing Cobalt Strike beacons.

History of Emotet:

Emotet appeared in 2014, but only in the 2020s did it become one of the most active threats among malware.

The malware was distributed mainly through email spam, malicious Word, and Excel documents, etc. Such emails could be disguised as invoices, waybills, account security warnings, invitations to a party, or information about the spread of the coronavirus. In a word, hackers will carefully follow global trends and constantly improve their bait emails.

Although Emotet once started as a classic banking Trojan, the threat has since evolved into a powerful downloader with many modules. Its operators have begun to cooperate with other criminal groups actively.

Having penetrated the victim’s system, Emotet used the infected machine to send spam further and installed various additional malware on the device. Often these were bankers such as TrickBot, miners, infostealers, as well as cryptographers like Ryuk, Conti, ProLock.

Europol called Emotet “the most dangerous malware in the world” and also “one of the most prominent botnets of the last decade.”

An attempt to eliminate the botnet, undertaken by law enforcement officers in 2021, was unsuccessful. At the end of the year, the malware returned to service, teaming up with Trickbot to “get back on its feet.”

However, experts warned about the active growth of Emotet, and last summer, it was noticed that the malware acquired its own module for stealing bank cards.

The post Emotet Botnet Resumed Activity after Five Months of Inactivity appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/emotet-botnet-resumed-activity/feed/ 0 11544
Emotet Malware Operators Found a Bug in Their Bootloader https://gridinsoft.com/blogs/emotet-malware-operators-found-a-bug/ https://gridinsoft.com/blogs/emotet-malware-operators-found-a-bug/#respond Tue, 26 Apr 2022 21:44:36 +0000 https://gridinsoft.com/blogs/?p=7590 Emotet malware operators have fixed a bug due to which, after opening a malicious document the system was not infected, and launched a phishing campaign again. Let me remind you, by the way, that at the end of last year we wrote that Microsoft patches Windows AppX Installer vulnerability that spreads Emotet malware. Emotet’s main… Continue reading Emotet Malware Operators Found a Bug in Their Bootloader

The post Emotet Malware Operators Found a Bug in Their Bootloader appeared first on Gridinsoft Blog.

]]>
Emotet malware operators have fixed a bug due to which, after opening a malicious document the system was not infected, and launched a phishing campaign again.

Let me remind you, by the way, that at the end of last year we wrote that Microsoft patches Windows AppX Installer vulnerability that spreads Emotet malware.

Emotet’s main vector of distribution is spam emails with malicious attachments. When a victim opens a malicious document, malicious macros or scripts are loaded onto their system with the Emotet DLL.

Emotet malware bug
Emotet phishing email example

Once downloaded, the malware looks for and steals email addresses for use in future phishing campaigns and downloads additional payloads like Cobalt Strike or other malware, including ransomware.

On Friday, April 22, Emotet operators launched a new spam operation with a password-protected ZIP file attached. It contained a Windows LNK (Quick Access Link) file disguised as a Word document.

After double-clicking on the shortcut link, a search command was executed in the file for a special string with Visual Basic Script code. This code was then added to a new VBS file that ran on the system.

However, the above mentioned command contained an error because it used the static shortcut name Password2.doc.lnk, although the actual name of the attached file was different, for example, INVOICE 2022-04-22_1033, USA.doc. This caused fail of the command because the Password2.doc.lnk file did not exist and the VBS file was not created.Cryptolaemus specialists explained.

As Cryptolaemus researcher Joseph Roosen told BleepingComptuer, Emotet operators stopped the new operation on Friday night when they discovered that the system was not infected due to a bug. However, they quickly fixed the bug and started spamming again on Monday.

This time, the shortcut link contains the actual file name, the command is executed, and the VBS file is created as expected. Emotet is freely loaded and executed on the attacked system.

The post Emotet Malware Operators Found a Bug in Their Bootloader appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/emotet-malware-operators-found-a-bug/feed/ 0 7590
Emotet now installs Cobalt Strike beacons https://gridinsoft.com/blogs/emotet-now-installs-cobalt-strike-beacons/ https://gridinsoft.com/blogs/emotet-now-installs-cobalt-strike-beacons/#respond Thu, 09 Dec 2021 19:44:50 +0000 https://gridinsoft.com/blogs/?p=6637 The researchers warn that Emotet now directly installs Cobalt Strike beacons on infected systems, providing immediate access to the network for attackers. Those can use it for lateral movement, which will greatly facilitate extortion attacks. Let me remind you that usually Emotet installs TrickBot or Qbot malware on the victim’s machines, and that one already… Continue reading Emotet now installs Cobalt Strike beacons

The post Emotet now installs Cobalt Strike beacons appeared first on Gridinsoft Blog.

]]>
The researchers warn that Emotet now directly installs Cobalt Strike beacons on infected systems, providing immediate access to the network for attackers. Those can use it for lateral movement, which will greatly facilitate extortion attacks.

Let me remind you that usually Emotet installs TrickBot or Qbot malware on the victim’s machines, and that one already deploys Cobalt Strike and performs other malicious actions. Now, the Cryptolaemus research group has warned that Emotet skips the installation of TrickBot or Qbot and directly installs Cobalt Strike beacons on infected devices.

Cryptolaemus is a group of more than 20 information security specialists from all over the world, who united back in 2018 for a common goal – to fight against Emotet malware.

This information was confirmed to the journalists of Bleeping Computer by the specialists of the information security company Cofense.

Some of the infected computers were instructed to install Cobalt Strike, a popular post-exploitation tool. Emotet itself collects a limited amount of information about the infected machine, but Cobalt Strike can be used to evaluate a broader network or domain assessment, looking for suitable victims for further infection, such as ransomware.experts say.

While Cobalt Strike was trying to contact the lartmana[.]сom domain, and shortly thereafter, Emotet was deleting the Cobalt Strike executable.”

In fact, this means that attackers now have immediate access to the network for lateral movement, data theft, and rapid ransomware deployment. The rapid deployment of Cobalt Strike is expected to speed up the deployment of ransomware on compromised networks as well.

It is very serious. Usually, Emotet will reset the TrickBot or QakBot, which in turn will reset the CobaltStrike. In a normal situation, you have about a month between the first infection and the extortion. With Emotet dropping CS directly, this delay is likely to be much shorter.security specialist Markus Hutchins warns on Twitter.

Cofense experts, in turn, report that it is not yet clear whether what is happening is a test of the Emotet operators themselves, or if it is part of a chain of attacks by another malware that cooperates with the botnet.

We do not yet know if the Emotet operators intend to collect the data for their own use, or if it is part of a chain of attacks belonging to one of the other families of malware. Given the quick removal, it could have been a test, or even an accident.the experts summarize, promising to continue monitoring further.

Let me remind you that I also reported that Trojan Emotet is trying to spread through available Wi-Fi networks.

The post Emotet now installs Cobalt Strike beacons appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/emotet-now-installs-cobalt-strike-beacons/feed/ 0 6637