Emotet & Trickbot tops the list

TrickBot and Emotet topped the record of most prolific malware strains in Oct, encouraging in the approach to push a surge in ransomware bacterial infections,

Emotet emerged as the most widespread malware final thirty day period, accounting for 12% of contaminated businesses. TrickBot and Android malware Hiddad came next, with a world-wide affect of 4% each.

Equally Emotet and TrickBot began lifetime as banking Trojans, but have advanced significantly in current decades and now function advanced modular performance to allow all the things from crytojacking and ransomware to innovative details theft.

Ever more, they’re getting made use of to provide accessibility for attackers and keep persistence in sufferer networks as a precursor to added malware downloads these types of as ransomware.

This has led to a 71% boost in ransomware attacks on US health care organizations final month vs . September, although the figures jumped 36% in EMEA and 33% in APAC.

The ransomware attacks increasing due to the fact the begin of the coronavirus pandemic, to try out and consider edge of security gaps as businesses scrambled to assistance remote workforces. These have surged alarmingly more than the earlier a few months, specially in opposition to the healthcare sector, and are pushed by pre-present TrickBot and Emotet bacterial infections.

The results chime with those of HP Inc, which discovered past 7 days that attacks utilizing the Emotet Trojan soared by more than 1200% from Q2 to the third quarter of this 12 months.

Emotet (👹) . Now asks to update MS Word ! Tricky

Emotet comes with a new template of phishing pretends to be a Microsoft Office message urging the recipient to update their Microsoft Word to add a new feature.

Upon installing the malware, Emotet will download additional payloads on the machine, including ransomware, and use it to send spam emails.

The botnet is operated by a threat actor tracked as TA542. Recent campaigns tricked with malicious word doc’s with Covid themed info

The infamous banking trojan is also used to deliver other malicious code, such as Trickbot and QBot trojan or ransomware such as Conti (TrickBot) or ProLock (QBot).

Emotet is a modular malware, its operators could develop new Dynamic Link Libraries to update its capabilities.

In a recent campaign ,the attackers are using multiple lures, including invoices, purchase orders, shipping information, COVID-19 information.

The spam messages come with malicious Word (.doc) attachments or include links to download the bait document.

“Emotet switched to a new template this week that pretends to be a Microsoft Office message stating that Microsoft Word needs to be updated to add a new feature.”. reported researchers

Below the messages displayed to the recipient to trick him into opening enabling the macros.

Upgrade your edition of Microsoft Word
Please click Enable Editing and then click
Enable Content.

Upon enabling the macros, the Emotet malware is downloaded and installed into the victim’s %LocalAppData% folder

Users should be educated aware about the legitimate and Phishing mails. Proper defence in depth strategy to get escaped from these anomalies

North Korea or Russia is Lazarus belongs

North Korean state-sponsored cybercriminals have been time and again accused of buying access to pre-hacked servers from other threat actors. However, lately, connections have emerged between the North Korea-based Lazarus APT group and some of the prominent Russian-speaking cybercriminal groups.

TrickBot, Dridex, and TA505 are threat groups linked to various Russian-speaking threat actors who sell access to victims’ systems on the dark web. Lazarus has been found to be infrequently using TrickBot’s codes in its attacks.

TrickBot is a privately-run Malware-as-a-Service (Maas) offering, which can be accessed by only top-tier threat actors.

TA505 is a cybercriminal group that has purchased a huge number of tools from the underground.

According to a report by LEXFO, past Lazarus infections have been spotted to coexist with TrickBot and Emotet.
TA505 and Lazarus IOCs were found together in bank networks.

North Korea-based hackers may “be working with or contracting out to criminal hacking groups, like TA505, for initial access development.”

Based on the different incidents, experts assess that there is a connection between Lazarus and Russian-speaking cybercriminals.

TrickBot appears to possess a treasure trove of compromised accesses that Lazarus can definitely leverage.

It is very likely that threat actors with access to TrickBot infections are in touch with North Korean state-sponsored hackers. Knowing that there is a link between different threat actors provides defenders an opportunity to identify a potential second problem when the first one occurs.

Red Dawn 👹 Emotet 🎃

The notorious Emotet went into the dark since start ofc 2020, but after months of inactivity, the infamous trojan has surged back in 2nd half of this year with a new massive spam campaign targeting users worldwide.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542.

Recent spam campaigns used messages with malicious Word documents, or links to them, pretending to be invoices, shipping information, COVID-19 information, resumes, financial documents, or scanned documents.

Upon opening the documents, they will prompt a user to ‘Enable Content’ to execute that malicious embedded macros that will start the infection process that ends with the installation of the Emotet malware.

Emotet botnet

To trick a user into enabling the macros, Emotet botnet operators use a document template that informs them that the document was created on iOS and cannot be properly viewed unless the ‘Enable Content’ button is clicked.

The Red Dawn template displays the message “This document is protected” and informs the users that the preview is not available in the attempt to trick him/her to click on ‘Enable Editing’ and ‘Enable Content’ to access the content.

Emotet malware is also used to deliver other malicious code, such as Trickbot and QBot trojan or ransomware such as Conti (TrickBot) or ProLock (QBot).

Emotet continues to be one of the most widespread botnets and experts believe it will continue to evolve to evade detection and infect the larger number of users as possible.