You must Register or Sign in to your Cyware account to perform this action
×Once you are logged in, you will be able to:
Customize your feeds by selecting categories you like
Comment on or Like an article
Receive the latest security stories, trends, and insights in your inbox
Build your profile and login across multiple devices
Bookmark a story and read it later
- Home
- Hacker News
- Malware and Vulnerabilities
- Emotet trojan evolves to evade detection using malicious macros through XML files

Emotet trojan evolves to evade detection using malicious macros through XML files
Emotet trojan evolves to evade detection using malicious macros through XML files- February 15, 2019
- |
- Malware and Vulnerabilities
/https://cystory-images.s3.amazonaws.com/shutterstock_401952844.jpg)
- Two different types of malicious document formats are used to deliver malware.
- Once the trojan arrives on the infected host, it connects to a list of URLs that are hosted on the attackers’ C2 servers.
A new variant of Emotet trojan has been observed to be active since mid-January. It obfuscates the initial infection VBA macro code to avoid detection by anti-virus software.
Propagation method
The Menlo Security research team observed that the new variant is delivered into two different ways: First, via a URL that is hosted on attacker-controlled infrastructure and second, as an email attachment.
Additionally, two different types of malicious document formats are used to deliver malware.
Explaining on the first type, researchers said, “The first type, and the more prominent one, was an XML file that contains the standard XML header, plus the Microsoft Word Document XML format tags. This is followed by Base64 encoded data, which contains the compressed and obfuscated VBA macro code. The file itself was named with a .doc extension.”
The second type of malicious document consists of regular Microsoft Word documents that have malicious macros embedded in them.
Once the trojan arrives on the infected host, it connects to a list of URLs that are hosted on the attackers’ C2 servers to perform its final attack process.
Threat actor behind this malware
The MealyBug threat actor group is behind this new detection evasion capability added to the Emotet trojan. The trojan is known to be very active, showing up in new campaigns almost every month, from October. In November, the bad actors moved its Command & Control infrastructure to the US.
In January 2019, the trojan made a comeback in the form of an updated variant capable of checking if the victim’s IP address is either blacklisted or on spams list maintained by Spamhaus, SpamCop, or SORBS.
- + Aware
Get such articles in your inbox
News
-
Previous News Hackers send GandCrab-laced phishing emails to ruin Valentine’s Day
- February 15, 2019
- |
- Identity Theft, Fraud, Scams
-
Next News Optus pulled down its ‘My Account’ site after customers experienced suspicious activities
- February 15, 2019
- |
- Malware and Vulnerabilities
Popular News
Related News
-
Beware of Thanksgiving eCard Emails Distributing Malware
- November 29, 2019
- |
- Malware and Vulnerabilities
Categories
Get such articles in your inbox
News
-
Previous News Hackers send GandCrab-laced phishing emails to ruin Valentine’s Day
- February 15, 2019
- |
- Identity Theft, Fraud, Scams
-
Next News Optus pulled down its ‘My Account’ site after customers experienced suspicious activities
- February 15, 2019
- |
- Malware and Vulnerabilities
Popular News
Related News
-
Beware of Thanksgiving eCard Emails Distributing Malware
- November 29, 2019
- |
- Malware and Vulnerabilities
Categories
