A new variant of Emotet trojan has been found collecting financial information of users by injecting malicious code into computers. The variant has affected a total of 176 users in Chile.
How does it spread - According to the researchers from SI-Lab, the attackers used phishing emails to spread the malware. The attackers had embedded the malicious code in a document or URL that was inserted within the body of the email. The document or URL were disguised as an invoice or PDF attachment to trick users.
The campaign was carried out the purpose of stealing financial credentials from users’ computers to access financial and banking services geolocated in Chile.
Researchers believe that the cyber attack occurred between March 18 and March 26, 2019.
How does it operate - The attack involved the use of an old ‘Living off the Land’ technique to evade antivirus detection and complicate its analysis.
“Interestingly, the first phase bypasses Virus Total (VT) detentions. With that, criminals achieved an important rule of thumb in the malware landscape: no detection. In fact, an old living off the land technique was used allowing to get fully undetectable (FUD) which is the ultimate goal for malware authors,” explained the SI-Lab researchers.
Once the document is opened, it installs the .bat file which is responsible for downloading a second script from the C2 server. The second script leverages the WinRAR vulnerability to drop the Emotet variant into the Windows startup folder. As a result, the infected machine is rebooted and the malware gains a persistence in the system startup.