Emotet Malware to Steal Bank Credentials Spread Via Sms

On Feb,12 Hackers Review  announce Emotet Malware to Hack Nearby Wifi 

A new Emotet camp is being circulated via SMS to bankers and may have links to the Trojan TrickBot. Attackers send text messages that they say are from the banks of the victim, but once they click on the links in the text messages they are asked to transfer their banking credentials and to download a file that contains the Emotet malware on their systems.

since Emotet returned in September, a new and hazardous Wi-Fi hack feature revealed last week could spread the malware like a worm. Now, this new malware campaign provides a form of phishing that focuses on text messages rather than e-mail.

Although smishing is certainly nothing new, researchers say that Emotet operators are always swapping approaches over pure spammails– making it hard for defense teams to sustain themselves. The distribution strategies are an outstanding example.

The Mealybug gang operator Emotet has varied its rates of operations over time and sometimes has been subject to extended lulls and periods of low volume activity." "Multiple networks are in use, like spam, SMiShing, and other ploys including fake alerts from Coronavirus, distributed in Japan, since late 2019.

SMS messages warn users with locked bank accounts to be from US local numbers and impersonated banks. The messages encourage victims to use the connection to redirect them to a domain the Emotet (Shabon[.]co) is known to distribute.

Visually, you can see a customized phishing page that imitates the bank's mobile banking page when you click the link. X-Force researchers were told by Threatpost about how many victims have received the SMS messages and which banks claim to be connected with the messages.

On the same day that the text messages were sent, the smishing landing page domain was registered. The domain is named after the bank (with a different domain of the top level) and intended to convince the victims of the problem of entering their credentials in a very first step.

After review of two binary files for the file's victims, researchers found some junk content in the file containing "Politics" quotes from President Donald Trump and Michael Bloomberg as presidential candidate. Researchers think this tactic is a means of avoiding detection.

Ironically, the Trojan TrickBot also uses the same kind of junk content antidetection method– resulting in a possible malware connection, researchers say.

Although Emotet began its existence as a bank Trojan in 2014, it has grown to a full-service platform for threats, like TrickBot in past attacks, such as a recent one aimed at the United Nations.

It is possible to use this attack as a targeting strategy to spread the TrickBot Trojan as an attack knows that the Emotet is one way to lower TrickBot payloads on infected devices.'''

Investigators look forward to this recently launched smishing program, along with other Emotet appearances in the recent past, and their operators may be looking forward to launch potential cyber attacks in July 2020.

Mealybug is planning for expansion of its botnet, diversification of its sources of illegal income and preparation of a wider area of attack in Japan, potentially prior to the Tokyo 2020 international sporting event," they said.

Previous Post Next Post