Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label DHL Express. Show all posts

Emotet : The Infamous Botnet Has Returned

 

Kaspersky researchers were able to retrieve and analyze 10 out of 16 modules, with most having been used by Emotet in the past in one form or another. Kaspersky Lab was created in 1997 as multinational cybersecurity and digital privacy organization. Kaspersky's deep risk intelligence and security expertise are continually evolving into new security solutions and services to safeguard enterprises, vital infrastructure, governments, and consumers all around the world. 

Emotet was discovered in the wild for the first time in 2014. Its major purpose back then was to steal user's financial credentials. Since then, it has gone through several modifications, began transmitting other viruses, and eventually evolved into a strong botnet. Emotet is a type of malware classified as banking Trojans. Malspam, or spam emails with malware, is the most common way for it to propagate. To persuade users, these communications frequently contain familiar branding, imitating the email structure of well-known and trustworthy companies such as PayPal or DHL. 

As per Kaspersky telemetry, the number of victims increased from 2,843 in February 2022 to 9,086 in March 2022, indicating the attackers targeted more than three times the number of users. As a result, the number of threats detected by Kaspersky solutions has increased, from 16,897 in February 2022 to 48,597 in March 2022. 

A typical Emotet infection starts with spam e-mails containing malicious macros in Microsoft Office attachments. The actor can use this macro to launch a malicious PowerShell command which will drop and start a module loader, which will then talk with a command and control server to download and start modules. In the percent Windows percent SysWOW64 or percent User percent AppDataLocal directory, Emotet creates a subfolder with a random name and replicates itself under a completely random name and extension. The exported Control RunDLL method is used to launch the Emotet DLL's primary activity. These modules can be used to carry out a range of actions on the infected computer. Kaspersky researchers were able to extract and evaluate 10 of the 16 modules, the majority of which had previously been utilized by Emotet. 

Researchers now state that the Emotet can download 16 modules judging by the recent Emotet protocol and C2 answers. They were able to recover ten of them (including two separate copies of the Spam module), which were utilized by Emotet to steal credentials, passwords, accounts, and e-mail addresses, as well as spam. We present a brief examination of these modules and also statistics on current Emotet attacks in this post. 

To gather the account details of various email clients, the current version of Emotet can create automated spam campaigns which are further spread down the network from infected devices, retrieving emails and email addresses from Thunderbird and Outlook apps and accumulating passwords from popular web browsers like Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera. 

Emotet infects computers in businesses and homes all around the world. As per our telemetry, Emotet most frequently targeted users from the following countries in Q1 2022: Italy (10.04%), Russia (9.87%), Japan (8.55%), Mexico (8.36%), Brazil (6.88%), Indonesia (4.92%), India (3.21%), Vietnam (2.70%), China (2.62), Germany (2.19%) and Malaysia (2.13%). 

The present set of components is capable of a wide range of malicious activities, including stealing e-mails, passwords, and login data from a variety of sources, as well as spamming. Except for the Thunderbird components, Emotet has utilized all of these modules in some form or another before. However, there are still a few modules that we haven't been able to get our hands-on.

FedEx and DHL Express Hit with Phishing Attacks

 

Researchers reported on Tuesday that they discovered two email phishing assaults targeting at least 10,000 mailboxes at FedEx and DHL Express that hope to extract client's work email account. In a blog published by Armorblox, the researchers said one assault impersonates a FedEx online document share, and the other claims to share shipping details from DHL. The phishing pages were facilitated on free services like Quip and Google Firebase to deceive security technologies and clients into thinking the links were legitimate.

“The email titles, sender names, and content did enough to mask their true intention and make victims think the emails were really from FedEx and DHL Express respectively,” said researchers with Armorblox on Tuesday. “Emails informing us of FedEx scanned documents or missed DHL deliveries are not out of the ordinary; most users will tend to take quick action on these emails instead of studying them in detail for any inconsistencies.” 

The phishing email spoofing American multinational delivery services company FedEx was entitled, “You have a new FedEx sent to you,” with a date that the email was sent. This email contained some data about the document to make it seem legitimate – like its ID, the number of pages, and kind of document – alongside a link to see the supposed document. On the off chance that the recipients clicked on the email, they would be taken to a file facilitated on Quip. Quip, which comes in a free form, is a tool for Salesforce that offers documents, spreadsheets, slides, and chat services. 

A separate campaign impersonated German international courier DHL Express, with emails telling recipients that “Your parcel has arrived,” with their email addresses towards the end of the title. The email told recipients that a package couldn't be conveyed to them because of incorrect delivery details – and that the parcel is rather ready for pickup at the post office. The email provoked recipients to look at appended “shipping documents” if they want to receive their delivery. The attached document was an HTML file (named “SHIPPING DOC”) that, when opened, previewed a spreadsheet that looked like shipping documents.