A new banking Trojan has the capability to sidestep and avoid any sandbox or malware surveillance, researchers said.
While this may be a banking Trojan for now, it is possible for the malware to escalate and move across industries to the manufacturing automation environment.
“We discussed the re-emergence of banking malware EMOTET in September and how it has adopted a wider scope since it wasn’t picky about the industries it attacks,” said Trend Mirco Threats Analyst, Rubio Wu in a blog post. “We recently discovered that EMOTET has a new iteration (detected as TSPY_EMOTET.SMD10) with a few changes in its usual behavior and new routines that allow it to elude sandbox and malware analysis.”
The EMOTET banking Trojan, also known as Geodo, is malware related to the Dridex and Feodo families, said researchers at Trend Micro. Mainly used to steal banking credentials and other sensitive information, EMOTET can also see action as a Trojan downloader.
Microsoft researchers said earlier this month, EMOTET has been increasingly targeting business users.
EMOTET’s dropper changed from using RunPE to exploiting a Windows application programming interface (API) called CreateTimerQueueTimer, researchers said.
The API creates a queue for lightweight objects called timers, which are meant to enable the selection of a callback function at a specified time.
“The original function of the API is to be part of the process chain by creating a timer routine, but here, the callback function of the API becomes EMOTET’s actual payload. EMOTET seems to have traded RunPE for a Windows API because the exploitation of the former has become popular while the latter is lesser known, theoretically making it more difficult to detect by security scanners,” Trend Micro researchers said in a post.
EMOTET also contains an anti-analysis technique that involves checking when the scanner monitors activities in order to dodge detection. With the use of said Windows API, the malware can do the job every 0x3E8 milliseconds, researchers said.
At the second stage of the payload, EMOTET can check if it runs inside a sandbox environment and terminates its process if it does. The dropper checks the NetBIOS’ name, the UserName, and for the presence of specific files on the system.
The malware also runs itself through another process if it does not have admin privilege. If it does have privileges, it creates an auto start service for persistence, renames it and starts it, collects system information, encrypts it, and sends it via a POST request to the command and control (C&C) server.
EMOTET goes out via phishing emails containing a malicious URL meant to drop a macro-enabled document.