EMOTET spread in Chile targeted financial and banking services. SI-LAB detected hundreds of users that were impacted by this malware between March 18th and 26th of 2019.
The last days of March 2019 are making headlines due to a targeted cyber attack involving a new variant of infamous EMOTET malware. This threat is known as a banking trojan malware that collects financial information by injecting malicious code into a computer.
EMOTET has evolved in its delivery, however, this wave was conducted with the most prominent form: inserting malicious documents or URL links inside the body of an email sometimes disguised as an invoice or PDF attachment.
According to SI-LAB, a total of 176 users from Chile were affected in a broad cyber threat occurred between March 18th and 26th of 2019. Once again, the main goal of this campaign involving EMOTET had the propose of exfiltrating financial credentials from user’s computers to access financial and banking services geolocated in Chile.
The first phase identified as “__Denuncia_Activa_CL.PDF.bat” is responsible for operating a crucial part of this threat. That file was delivered via malscam campaigns around the world and its source-code is obfuscated in order to evade antivirus detection and complicate its analysis.
Interestingly, the first phase bypasses Virus Total (VT) detentions. With that, criminals achieved an important rule of thumb in the malware landscape: no detection. In fact, an old living of the land technique was used allowing to get fully undetectable (FUD) which is the ultimate goal for malware authors.
The .bat file is a Windows batch script that is responsible for downloading a second script from the Command & Control (C&C) server. The latter leverages the WinRar/Ace vulnerability (CVE-2018-20250) dropping the malware itself into the Windows startup folder. Next, the infected machine will reboot and malware becomes persistent in the system startup.
The high-level workflow this campaign is illustrated below.
EMOTET was protected with an extreme commercial packer dubbed Themida. Themida introduced an additional protection layer that made it harder to analyze. Other restrictions were also coded to prevent its execution in different types of scenarios. In this case, for instance, malware authors introduced several anti-run specifications related to victims’ geolocation and language preferences — only Spain/Chile computers were compromised.
Themida packer has a large group of specific features that are very appreciated by criminals to protect their threats. For example, it uses VM-protection techniques, debug-protection, virtual machine emulation, anti-monitors techniques, anti-memory patching (see all Themida features here).
The first alert related to this wave was observed on March 22nd by The Computer Security Certified Response Team (CSIRT), of the Ministry of the Interior from Chile.
“Preliminary information collected allows us to determine that the following URLs and the following IP addresses must be blocked, unless otherwise indicated,” the CSIRT Ministry of the Interior states.
“Based on information obtained from internal sources, the cybersecurity alert situation was identified by an incident related to malicious software called EMOTET affected by the relevant sectors of the economy” – CSIRT Chile.
CSIRT released a comprehensive list of IP addresses that EMOTET signals had to block. A national alert was sent (below) and can be consulted in this URL.
To read the original article: