Malware News Watch out for Emotet, the trojan that’s nearly a worm

[LASER_oneXM]

Network worms and Trojan malware are back with a vengeance. A good example is WannaCry, which infected hundreds of thousands of computers across the globe in May. Now comes Emotet – malware with worm and trojan characteristics that exploits weak admin passwords to spread across a victim’s network.

SophosLabs has seen a surge in Emotet cases in the past week and has blocked it from customer computers. Its payload is a form of banking Trojan designed to steal a user’s online banking details. Labs researcher Tad Heppner described it this way:

Emotet is a trojan although it also contains the functionality necessary to be classified as a worm. The primary distinction is that a trojan requires some degree of social engineering to trick a human into enabling the spread of the infection whereas a worm can spread to other systems without the aid of a user. Emotet downloads then executes other payloads, so even though its core component is not directly a worm, it does have the potential to download and execute another component to spread itself to other systems.

How it works
The initial infection is distributed via email spam. Researchers pieced together the following sequence of events:

• A spam email containing a download link arrives in the victim’s inbox.
• The download link points to a Microsoft Word document.
• The downloaded document contains VBA code that decodes and launches a Powershell script.
• The Powershell script then attempts to download and run Emotet from multiple URL sources.

The Emotet components are contained in a self-extracting WinRAR archive bundled with a large dictionary of weak and commonly used passwords. (Note: WinRAR is a Windows file compression tool.)
...
.......
....