Security researchers are seeing signs that the Emotet banking trojan is about to awaken from its latest hiatus by deploying newly improved credential and email stealing modules.
Emotet last came to life in January 2020 but analysts with the Herjavec Group believe the new modules are being placed as a first step toward the launch of a new phishing campaign. If and when this is released targets will find themselves battling its anti-malware evasion and a hashbusting implementation which makes it more dangerous compared to previous versions. Hashbusting ensures that the malware will have a different hash on each system it infects, rendering hash-based detections useless.
Some of the technical changes incorporated include reworked malware code to incorporate the use of a state machine to obfuscate the control flow and branches of code being flattened into nested loops, which enables the code blocks to be in any order and operationally execute in order by the state machine.
Threat Advisory Update: Emotet Botnet Shows Signs of Life & COVID-19 Phishing Campaigns Target Healthcare - Herjavec Group
The Emotet botnet has begun to show signs of life after months of inactivity. The E2 portion has started deploying credential and email stealing modules. It is believed that this could be a preparation step for a new spam campaign. During the downtime, the operators behind Emotet have redesigned...