Emotet & Trickbot tops the list

TrickBot and Emotet topped the record of most prolific malware strains in Oct, encouraging in the approach to push a surge in ransomware bacterial infections,

Emotet emerged as the most widespread malware final thirty day period, accounting for 12% of contaminated businesses. TrickBot and Android malware Hiddad came next, with a world-wide affect of 4% each.

Equally Emotet and TrickBot began lifetime as banking Trojans, but have advanced significantly in current decades and now function advanced modular performance to allow all the things from crytojacking and ransomware to innovative details theft.

Ever more, they’re getting made use of to provide accessibility for attackers and keep persistence in sufferer networks as a precursor to added malware downloads these types of as ransomware.

This has led to a 71% boost in ransomware attacks on US health care organizations final month vs . September, although the figures jumped 36% in EMEA and 33% in APAC.

The ransomware attacks increasing due to the fact the begin of the coronavirus pandemic, to try out and consider edge of security gaps as businesses scrambled to assistance remote workforces. These have surged alarmingly more than the earlier a few months, specially in opposition to the healthcare sector, and are pushed by pre-present TrickBot and Emotet bacterial infections.

The results chime with those of HP Inc, which discovered past 7 days that attacks utilizing the Emotet Trojan soared by more than 1200% from Q2 to the third quarter of this 12 months.

Emotet (đź‘ą) . Now asks to update MS Word ! Tricky

Emotet comes with a new template of phishing pretends to be a Microsoft Office message urging the recipient to update their Microsoft Word to add a new feature.

Upon installing the malware, Emotet will download additional payloads on the machine, including ransomware, and use it to send spam emails.

The botnet is operated by a threat actor tracked as TA542. Recent campaigns tricked with malicious word doc’s with Covid themed info

The infamous banking trojan is also used to deliver other malicious code, such as Trickbot and QBot trojan or ransomware such as Conti (TrickBot) or ProLock (QBot).

Emotet is a modular malware, its operators could develop new Dynamic Link Libraries to update its capabilities.

In a recent campaign ,the attackers are using multiple lures, including invoices, purchase orders, shipping information, COVID-19 information.

The spam messages come with malicious Word (.doc) attachments or include links to download the bait document.

“Emotet switched to a new template this week that pretends to be a Microsoft Office message stating that Microsoft Word needs to be updated to add a new feature.”. reported researchers

Below the messages displayed to the recipient to trick him into opening enabling the macros.

Upgrade your edition of Microsoft Word
Please click Enable Editing and then click
Enable Content.

Upon enabling the macros, the Emotet malware is downloaded and installed into the victim’s %LocalAppData% folder

Users should be educated aware about the legitimate and Phishing mails. Proper defence in depth strategy to get escaped from these anomalies

LatAM Banking Trojan

Mekotio banking Trojan, originally known for targeting banking customers in Chile, has been expanding its scope both geographically and tactically. Mekotio is the second banking malware observed doing this within this week.

Multiple, distinct malware families have havoced Latin American Banks for years – the variants include Amavaldo, Casbaneiro, Grandoreiro, Guildma, Krachulka, Lokorrito, Mekotio, Mispadu, Numando, Vadokrist and Zumanek.

Mekotio expands across Latin America

Mekotio Trojan operators have been regularly updating their malware to cover more financial organizations across several Latin American countries, as well some new enhancements have been observed recently.

  • Researcher found several variants of Mekotio Trojan that were registered to specifically target users in Spain. Besides normal banking services, it would also targeted e-banking users from a small set of countries.
  • The malware spreads through spam emails that use social engineering tactics, like impersonating the identity of government or private agencies to lure the users into clicking on malicious links included in the message body. 
  • Mekotio can steal banking credentials stored in some web browsers such as Google Chrome and Opera. Additionally, it has been updated with the functionality of replacing the bitcoin wallet addresses copied to the clipboard by the attacker’s wallet address.

Since its first detection in March 2018, Mekotio’s developers have been making gradual improvements in this Windows-based malware, which is developed in Embarcadero Delphi.

Current coverage

As of now, Mekotio malware has a presence in Chile (having the highest detection), followed by Brazil and Mexico (medium level of detection), and then Peru, Colombia, Argentina, Ecuador, and Bolivia.

Alien RAT đź‘˝ Banking Trojan

Alien RAT with 2FA-Stealing Technique
A new variant of Cerberus malware, which is available for rent on underground forums since January, has been found invading Android devices and targeting more than 200 applications.

The newly identified banking trojan called Alien shares several common capabilities with the Cerberus banking malware.

Researchers reported the Alien RAT targeting a list of at least 226 mobile applications, including banking apps such as BBVA Spain, Bank of America Mobile Banking, as well as a slew of collaboration and social networking apps such as Twitter, Snapchat, and Instagram.

It comes equipped with an advanced ability to bypass two-factor authentication (2FA) security measures to steal the victim’s credentials. The malware also abuses the TeamViewer application to gain full remote control over the victim’s devices.

Researchers speculate that Alien RAT is a fork of the Cerberus malware that has undergone a steady demise in use over the past year, and was up for sale in August. Besides having several common capabilities, there are a few notable differences.

Alien RAT has been implemented separately from the main command handler using different command-and-control (C2) endpoints.

Moreover, Alien’s 2FA-stealing technique is an additional feature than Cerberus’s capabilities.

More malware adding 2FA-bypass technique
Several attackers and malware operators have upgraded their malware and attack vectors to target the 2FA-bypass technique and carry out more successful attacks.

Banking trojans have been evolving with new and improved features to increase the success rate of fraud recently. Financial institutions are recommended to assess their current and future threat exposure and implement relevant detection and control mechanisms at the earliest.