Emotet vs Trump – Deep Dive Analysis of a Killer Info-Stealer
Emotet is one of the the widest spread modular banker data-stealing trojan in the last six years. It aims to gain remote access on the compromised host in order to steal banking credentials, financial data and even Bitcoin wallets and is also used as a downloader for other known malwares such as TrickBot (Trojan banker) and Ryuk (Ransomware). Cynet’s research team has published an analysis of one on Emotet’s latest instances, dated to early February which included in its payload metadata a reference to a CNN reporting on the US Senate vote against Donald Trump.
Emotet was first spotted in May 2014 across various campaigns in which it was mostly used to spy on compromised environments, steal credentials for cloud storage, email data, and upload this information to a remote server.
Emotet Kill Chain
In these attacks, Emotet’s main infection methods are phishing and spam emails which use social engineering techniques to lure the victims into opening a malicious attachment or malicious link. Once the user enables the macros, the VBA script in the weaponized Office document executes a malicious command and downloads the Emotet payload. The payload enumerates the compromised host and shows high persistence capabilities. While persisting on the compromised host it collects multiple types of sensitive data which is continuously sent to the attacker’s Command and Control server.
Additionally, the communication with the Command and Control server can potentially download further payloads to the infected host according to the settings on the attacker’s server. This usually takes place when the stolen data matches the terms the attacker is looking for and have coded into the server.