Financial Trojan EMOTET Uses Network Sniffing to Multiply its Misery

Hackers with access are bad news, no matter how you slice it

With just one member of an organization falling for the phishing scam that delivers the EMOTET Trojan, everyone and everything on the network they are connected to can be put at risk. Global Digital Forensics’ founder discusses what organizations can do to raise social engineering awareness to protect against these type of malware infiltrations, while at the same time helping to secure other critical aspects of their cyber security posture.

EMOTET Banking Trojan Sniffs Out Prey

Earlier this week, reports started surfacing about a new banking Trojan dubbed EMOTET making the rounds, like this June 30th report in Security Week . But unlike run-of-the-mill banking Trojans that employ keyloggers, screen captures, dummy website phishing portals and other means to capture sensitive banking information, EMOTET goes even further by leveraging network “sniffing” to propagate to other systems and devices connected to the same network as the compromised user. It also cleverly uses DLL files to store the information that is to be sent back to the attackers and to help cover its tracks so the user is oblivious to its presence.
“This allows for an attacker to monitor and capture digital information, even if it’s being sent through a normally secure connection,“ said Joe Caruso, CEO/CTO and founder of Global Digital Forensics (GDF), a premier provider of cyber security solutions, “putting financial data at great risk.”

I Spy … Everything

“As information travels across the network, it’s possible to "grab" that information,” explains Caruso, “so when hackers employ network sniffing in their malware design, it basically gives them the ability to “sniff out” the information and data moving across the network, even using normally secure HTTPS protocol, which could include information on other devices on the network, passwords, usernames, sites visited and virtually anything else users on the network are doing. It’s like a Hollywood heist movie where the bad guys splice into the security system and can see everything all the internal security cameras see without the guards having a clue. With the way they designed EMOTET to use DLL files, or overlay files, which no typical user ever pays attention to, it lets them not only store information like Web addresses of financial sites they are looking for a match to in order to trigger certain aspects of the payload, but also lets them evade detection so they can sit on the line undisturbed and undetected until the information they are after comes along. Then it’s just a matter of getting the detected information captured and sent back to the command and control module, which can be done in any one of a number of ways.”

Don’t be fooled by geography

According to the report, right now the European theater is being mostly affected, with Germany seeing the most action; even the phishing emails used are predominantly in German. “But don’t let geography or language lull you into a false sense of security,” Caruso warned, “think of it like a deadly virus outbreak. What may have started with a handful of infected individuals in a small village in China or Africa can make its way across oceans in a matter of hours by plane with just one infected passenger and start spreading like wildfire wherever they land. With the Internet, travel time isn’t counted in hours; it’s counted in fractions of a second, and the landing strip is right in your home or office. When hackers have success like they’ve been having with EMOTET, you can bet they will find a way to tweak their phishing scheme and payload to maximize success in other countries as well. So don’t discount the threat it poses right here at home just because it seems to have made its debut overseas.”

Social Engineering is a hacker’s favorite tool

“Our GDF emergency response teams are on call 24/7, and have been called in to handle countless cyber emergencies for organizations of all sizes. And if one thing bears repeating as often as possible, it’s that most successful advanced attacks start with a simple phishing email,” says Caruso. “You can have all the firewalls, virus scanners and other technology you want in place to thwart cyber attacks, and they do a great job in a great many cases to stop simple attacks, but the ones that make headlines and cause great turmoil for even some of the largest and most recognized companies on the planet can most often be traced back to a simple phishing or spear phishing email, which lets an attacker get a foothold on the network. The reasoning behind it is simple; if a hacker can muster enough trust in a well-crafted email by personalizing it enough to make sense to the target, human nature takes over and it gets opened, bypassing all the security measures in place to stop brute force attacks and such. Even simple curiosity can be costly, and it won’t bode any better for the organization than it did for the cat. We’ll take on the role of real-world hackers to shine a spotlight on a client’s weaknesses and raise awareness enterprise wide. We’ll even gather publicly available information that any hacker would have access to and launch a realistic phishing or spear phishing campaign, complete with a legitimate looking dummy website to entice users to divulge their credentials to us. When the smoke clears, we always have the user credentials hackers covet, and the lesson really sticks when we catch folks red-handed. In today’s digital age, it’s an invaluable lesson to learn in a way that doesn’t have all the grave consequences a real attack would.”

Test, identify and respond

“Regular vulnerability assessments and penetration testing are paramount for organizations to survive today’s cyber threat landscape,” Caruso cautions. “By letting cyber security specialists like ours at GDF review, test and identify an organization’s weaknesses on the cyber front, we can put together a remediation plan that will help any client significantly strengthen their cyber security posture. And since we’ve been at this for such a long time, our experience translates into streamlined, cost-effective solutions that not only fit our clients’ unique needs like a glove, but we also get the job done in the most efficient and cost-effective manner possible by not including solutions that simply aren’t needed for their situation. We take the time to understand the entire digital landscape and the data lifecycle of our clients’ ESI (Electronically Stored Information) and other digital assets, and that lets us offer plans and assistance which make a real difference, and not just “techie” sounding offerings, which serve no other real purpose other than inflating their bill unnecessarily.”

Cyber security solutions tailored to fit

*Global Digital Forensics is a recognized industry leader in the fields of computer forensics, cyber security and emergency incident response, with years of experience assisting clients in the government, banking, healthcare, education and corporate arenas. For a free consultation with a Global Digital Forensics specialist, call 1-800-868-8189 about tailoring a cost-effective plan which will meet your unique needs, without wasting resources on solutions you simply don’t need. Emergency responders are also standing by 24/7 to handle intrusion and data breach emergencies whenever and wherever they arise. Time is critical if a cyber incident has occurred, so don’t hesitate to get help. For more information, visit our cyber security page.