Threat Report: Malware Referencing Coronavirus

What Is It?

Since the first reports of coronavirus began emerging in early January 2020, it was guaranteed that cyber attackers would attempt to leverage the subject as part of the social engineering aspects of their attacks. This is especially true now that coronavirus has altered the lives of billions of people in unprecedented ways.

Social engineering is the act of exploiting human psychology in order to gain a desired outcome. It is not exclusively limited to cyberattacks, though they are often mistakenly linked. In the case of attacks referencing coronavirus, attackers attempt to exploit potential victims’ understandable fears, concerns and heightened desire for news. Attackers are also aware that given the stresses and upheavals that the impact of coronavirus is having, potential victims may exercise less caution when reading their email and thus be more susceptible to basic social engineering techniques.

In fact, in many of the campaigns referencing coronavirus, only the social engineering component has evolved. The underlying malware used in these attacks were new variants of existing malware families that were already detected by BluVector’s patented Machine Learning Engine (MLE).

Emotet, Nanocore and Parallax in Spam

The Cisco TALOS team found malicious spam email campaigns attempting to spread variants of Emotet trojan, Nanocore RAT (Remote Access Trojan) and Parallax RAT. They also discovered a piece of destructive wiper malware where the filename translated into English was "coronavirus.exe." Their research included a list of 90 publicly available sample files related to these campaigns. All of the samples were detected by BluVector’s MLE with regression testing showing a detection average of 31 months prior to their release.

Another, unrelated Emotet campaign using a coronavirus lure was associated with four publicly available files, which our BluVector MLE regression testing showed would also have been detected 31 months prior to their release.

Folding@Thome Campaign Offers Info-stealing Trojan

Proofpoint researchers discovered a new information and credential stealing trojan named “Redline Stealer,” which was being offered for sale on Russian underground forums. In early March, an email campaign pretended to be sent by the genuine distributed computing project Folding@home, though it was misspelt as Folding@Thome. In the email body, users were asked to put their unused computer processing power to help to fight coronavirus. Clicking the link resulted in the installation of Redline Stealer, which is capable of collecting sensitive data from browsers and other applications along with the downloading and running of files. Of the two publicly available samples, BluVector’s MLE detected both at an average of 29 months prior to their release.

APT36 Targeting India-based Government Entities

Researchers at Malwarebytes found a spear phishing email campaign they have attributed to the APT36 group, which is believed to be Pakistan-based and focused on attacking India-based government entities. The attached malicious documents claim to be a health advisory from the Indian government, but contain macros resulting in the installation of a variant of Crimson RAT. This malware creates a backdoor on infected systems and is used to extract credentials and exfiltrate data files. When regression testing was performed on the four publicly available samples related to this campaign, all were detected by BluVector’s MLE at an average of nine months prior to their release.

Remcos RAT Pretends to be Safety PDF

A submission to their free Yomi Hunter sandbox service, led researchers from Cybaze/Yoroi Zlab to a file with the clearly suspicious name of CoronaVirusSafetyMeasures_pdf.exe. They found this sample to be an obfuscated dropper for the Remcos RAT, one of its main functions being the logging of keystrokes, along with audio and video capture. Regression testing found the sample was detected by BluVector’s MLE at 74 months prior to its release.

Coronavirus Map Site Delivers AZORult

Researchers at Reason Security found a sample where attackers had weaponized an application that displays a map of global coronavirus infections. This application, while displaying the map, installs a variant of the AZORult information stealer in the background. AZORult is capable of extracting stored credentials, credit card number and other information, including cryptocurrency wallets. Regression testing found the six samples listed were detected by BluVector's MLE at an average of 23 months prior to their release.

RobbinHood Ransomware Utilizes Gigabyte Driver Vulnerability

What Is It?

A new RobbinHood ransomware variant makes use of a benign Windows driver file containing a known vulnerability. In this case, the ransomware exploits this vulnerability in order to kill running processes and files of various endpoint security software, allowing the ransomware component to run unhindered.

It’s a good example of the continuous evolution and innovation of malicious attackers in order to ensure their malware is able to evade detection by various security products and infrastructure. Most often, these efforts are directed towards evasion of detection on the endpoint itself. In recent days, numerous reports have referenced research detailed by Sophos into this new Robbinhood ransomware variant, a new example of endpoint detection evasion.

To be effective, Windows security products take steps to ensure their running processes cannot simply be terminated by other processes and users. This can only be achieved by utilizing kernel mode drivers, which execute with the highest privilege levels. To limit the possibility of malicious kernel mode drivers being loaded, 64-bit versions of Windows Microsoft implemented what they call “driver signature enforcement,” which requires that the driver must be digitally signed by both the vendor and Microsoft themselves.

However, a driver created by Gigabyte, the well-known Taiwanese manufacturer of motherboards and graphics cards, contains a known vulnerability (CVE-2018-19320). This vulnerability, along with proof-of-concept code, was made public in late 2018. Despite the time which has passed since this public disclosure, the digital signing certificate had not been revoked, therefore the driver was still considered valid by Windows.

By exploiting the vulnerability, attackers were able to temporarily disable driver signature enforcement and load their own malicious driver. Once the malicious driver is loaded, it uses a hardcoded list of security product processes to terminate and then it deletes the files associated with those process, so they cannot be restarted. At this point, the ransomware payload is free to encrypt files.

The Gigabyte driver used in this attack is not the only driver with a vulnerability of this type, so there is the potential for other attackers to attempt to use a similar technique. Again, this technique attempts to evade endpoint detection and protection mechanisms, BluVector’s real-time, network-based detection efficacy is not impacted.

How Does It Propagate?

The RobbinHood malware does not contain the necessary code to self-propagate. The most common attack vector for ransomware is social engineering, either as malicious attachments or downloads performed by malicious documents.

When/How Did BluVector Detect It?

There are three malicious samples related to this malware, BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown these samples would have been detected an average of 56 months prior to their release. The main malicious sample contains the other two malicious samples within itself and this sample would have been detected 75 months prior to its release.

Fractured Statue APT Campaign Targets U.S. Government Agency

What Is It?

A recent blog entry by Palo Alto Network’s Unit 42 research team details a campaign, which they have named Fractured Statue, of malicious phishing emails sent to employees of an unnamed U.S. government agency. These phishing emails contained malicious Word documents which executed two different downloaders. Unit 42 refers to these downloaders as CARROTBAT and a newer variant they dubbed CARROTBALL. The payload downloaded by both was a variant of a RAT (Remote Access Trojan) called SYSCON. The campaign was initially discovered in October 2019 but was found to have occurred during the period between July and October 2019.

Researchers detailed three specific attacks that occurred as part of the overall campaign, all utilizing a similar attack chain. The first attack covered a few days in the middle of July 2019 and consisted of targeted phishing emails sent to five employees of a U.S. government agency from two email addresses in the .ru (Russia) domain. The emails contained Word documents, written in Russian, with Russian filenames, with textual contents  related to tensions between North Korea and the West. The documents also contained a malicious macro that downloaded and executed a variant of the SYSCON RAT.

One month later, the second attack was launched, occurring over a one-month period from mid-August to mid-September. This attack targeted three additional employees of the same U.S. government agency as the first attack. This time, the malicious documents and the body of the emails utilized both Russian and English and again the downloaded payload was the SYSCON RAT.

The final attack occurred at the end of October 2019 and initially targeted two foreign nationals related to the political situation in North Korea. The malicious documents in this final attack used a different macro, but still resulted in the installation of the SYSCON RAT.

The SYSCON RAT has been seen in the wild since the latter part of 2017. SYSCON is notable for the fact that it utilizes an FTP for its command and control (C2) communication, rather than the more common use of web (HTTP) connections. Previous campaigns making use of SYSCON have also made reference to North Korea, though it should not be assumed the campaigns are orchestrated by North Korean entities. Rather than web traffic, communication between SYSCON and its C2 site occurs by uploading and downloading encoded and zipped files .

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The initial infection vector for this campaign is malicious Microsoft Word documents.

When/How Did BluVector Detect It?

Eight samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected for an average of 48 months prior to their release.

Zeppelin Ransomware Targets Healthcare and IT Organizations

What Is It?

Researchers at Blackberry Cylance have discovered a new ransomware variant they’ve named Zeppelin, due to a string that is inserted into the files that it encrypts. Rather than an entirely new ransomware family, they believe Zeppelin to be the newest variant of the Vega (also known as VegaLocker) ransomware, first seen in early 2019. Researchers have observed Zeppelin deployed by attackers in targeted attacks against healthcare and IT organizations in both Europe and the United States. Some of the victims were managed service providers, seemingly chosen for the ability to infect customer systems, reminiscent of recent Sodinokibi ransomware attacks.

Zeppelin utilizes a variety of techniques in an attempt to evade detection. It is written in the Delphi programming language, a so-called “high level” programming language, meaning it is closer to English than machine language. The fact Delphi source code is easy to read is countered by the fact that it is actually more difficult and/or time consuming to reverse engineer and analyze than other languages.

As with most malware, particularly ransomware, created by Russian-speaking attackers, Zeppelin is designed to harmlessly exit if it detects it is running on systems located in Russia and a number of former Soviet republics. Text strings are often used by legacy signature-based products for detection, therefore Zeppelin uses RC4 encryption to protect many strings. It also attempts to appear benign by making various calls to Windows API routines which would not normally be considered suspicious. Loops are used to try to evade sandbox detection.

As is common with current ransomware, Zeppelin begins by terminating processes for various email, backup and database products, ensuring the maximum number of important data files can be encrypted. When Zeppelin beings encrypting files, it begins with files on the current drive. It will then create additional processes to handle encryption of network shares and other attached drives. It does not alter the filenames of encrypted files. The ransom note provides an email address to contact the attackers to determine payment details or to be able to decrypt one file for free. It is believed Zeppelin is cryptographically secure and that having current backups or paying the ransom are the only ways to restore encrypted files.

How Does It Propagate?

It is believed Zeppelin ransomware is reaching targeted networks by compromised internet-facing Remote Desktop servers.

When/How Did BluVector Detect It?

Six samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown all samples would have been detected 71 months prior to their release.

Buer Loader Designed for Malware-as-a-Service Attackers

What Is It?

Researchers at Proofpoint have been following the appearance of a new downloader, named Buer by its authors, since the latter part of August 2019. This downloader is sold on various dark web forums and contains a feature set that is similar to the highly prevalent Smoke Loader. Smoke Loader is known to have downloaded various trojans, including those specifically designed for stealing financial and banking credentials.

In previous Threat Reports we have discussed a subset of malware called downloaders (often shortened to just “loaders”). When used by attackers, a loader is the initial infection vector, designed to evade detection by endpoint security products and then download and execute one or more malicious payloads. Loaders provide attackers a great deal of flexibility as to the malicious payloads they can deploy and are generally used by attackers utilizing malware-as-a-service (MaaS) options. If a loader evades detection it can download a variety of malware families and variants by numerous unrelated attackers. Conversely, if a loader is detected and prevented from executed, then a wide range of attacks can be blocked.

In August, researchers first noticed Buer being installed on systems compromised by the tried and true method of a Microsoft Word document containing a malicious macro attached to a spam email. This was followed by several other malicious campaigns in September and October. While investigating, researchers found Buer was being sold for $400. The advertisement for its sale contained a lot of information regarding the feature set of the control panel, used by the purchaser to monitor infections and interact with infected systems. Obviously, this is an important aspect for potential customers, usually less technically-skilled attackers, who choose MaaS.

The primary function of the Buer loader is to download and execute other malware. To achieve this Buer needs to evade detection, which it attempts with common methods such as checking for virtual machines, debuggers and that it is not running on systems in various former Soviet countries. It also encrypts strings and obfuscates Windows system calls. Researchers also found support for downloading additional modules, though they did not observe this behavior as of yet.

How Does It Propagate?

Buer loader does not contain the necessary code to self-propagate. It has been observed being distributed by spam campaigns containing Word document attachments with malicious macros.

When/How Did BluVector Detect It?

Five samples listed in the research report are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown these samples would have been detected an average of 38 months prior to their release.


PureLocker Multiplatform Ransomware Avoids Legacy AntiVirus Detection

What Is It?

PureLocker, a new multiplatform ransomware recently named by researchers from Intezer and IBM X-Force, is being used in targeted attacks against production servers of enterprise-level organizations. While the research was performed on Windows variants, they also observed a Linux variant being used by the attackers, providing them with more options for compromising the infrastructure of their targets.

The name PureLocker derives from the fact it is written in the programming language PureBasic. The use of the somewhat obscure PureBasic language is advantageous to the attackers in two important ways. Firstly, PureBasic is relatively easily ported between Windows, Linux and macOS, increasing the potential attack surface with limited effort. Secondly, Intezer found signature-based antivirus had difficulty detecting PureBasic executables. In fact, over a three-week period from mid to late October 2019, samples submitted to VirusTotal varied between one and zero detections out of the 66+ products the samples were tested against. They also found samples showed no malicious behavior when tested against several sandboxes.

To avoid detection, PureLocker utilizes multiple techniques. Text strings within a sample are often utilized for signature-based detection, as such obfuscation of strings is quite common. In the case of PureLocker, strings are stored as hex strings and decoded as required. Upon execution, PureLocker checks to ensure that it is not being debugged or otherwise analyzed. While this is a common technique, PureLocker does something different as it will exit but not delete itself if it detects analysis attempts. By not deleting itself, it potentially appears less likely to be malicious behaviorally than a sample which exits and deletes itself. It also checks what process is executing it, its filename extension, the current year is 2019 and administrator level access.

If all checks pass and PureLocker executes its ransomware payload, it avoids executable files and encrypts a large range of data files, appending .CR1 to the end of the filename. Once encrypted, the original file is deleted securely. The displayed ransom note contains a unique Proton email address for communication with the attackers and does not contain a ransom amount, clearly this is negotiated with the attackers via email.

How Does It Propagate?

PureLocker does not contain the necessary code to self-propagate. The infection vector is not known, however for most ransomware it is social engineering, either as malicious attachments or downloads performed by malicious documents.

When/How Did BluVector Detect It?

Despite the observed difficulties that legacy anti-virus and sandbox products have detecting PureLocker, two samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected both. Regression testing has shown the samples would have been detected a full 52 and 53 months respectively, prior to their release.

Fileless Malware: If You’re Not Worried, You Should Be

Gartner, Inc. estimates that more than $124 billion will be spent on information security products and services in 2019. Conversely, it is estimated that cybercrime will cost the world in excess of $6 trillion annually by 2021, up from $3 trillion in 2015. While the message that “crime does not pay” was drilled into our heads in TV and movies… it seems that it this crime does.

The first computer “virus” can be traced back to 1971. Named “Creeper system,” it would infect the computer with the message “I'm the creeper, catch me if you can!” and would disable that workstation.

Over the years, the bad guys continue to hone their tools and the computer virus has paved the way for computer worms, ransomware, spyware, adware, trojan horses, keyloggers, rootkits and other malicious software. While each of have their own unique traits, they intent is the same -- infecting a computer to do something “evil” on behalf of a threat actor.

As the cat-and-mouse game between security professionals and threat actors play out on a daily basis, a new threat is emerging that is keeping the good guys up at night. The threat of fileless malware is increasing and brings up a unique set of challenges that still thinks about how to combat file-based attacks.

Fileless malware describes a set of attacks that use the underlying operating system, usually Microsoft Windows, against itself. A typical end user barely scratches the surface of the capabilities built into the operating system. Under the hood of Windows are over 100 legitimate Windows system tools including PowerShell, Windows Management Instrumentation (WMI), .NET and Microsoft Office Macros that can be exploited in a fileless malware attack.

These tools do serve a purpose in the typical enterprise. PowerShell is used by system administrators to automate tasks; WMI is used to manage Windows workstations on a network; .NET is used for custom application development and Microsoft Office Macros can be used work magic in Microsoft Word, Excel or PowerPoint.

So, how can you protect against these types of attacks? Turning everything off isn’t possible. A typical enterprise would quickly grind to a halt (and it would be virtually technically impossible to do).

The first thing to keep in mind is that the most common attack vector for fileless malware attacks is delivery as an attachment to an email. Microsoft Office documents or PDF files are often used to deliver a payload with malicious intent. The payload will attempt to use one or more legitimate Windows tools to execute a script or macro and exploit that workstation. As they utilize legitimate Windows functions, they are hard to detect. So threat actors can hide in the shadows of what looks to be normal activity.

Existing, signature-based security can help with known threats, yet they’re challenged to protect against fileless malware attacks. The payload seems to be legitimate and will not raise any red flags. The key to protecting against fileless malware is to look beyond the payload’s contains, and instead understand what that payload is capable of.

While great efforts have been made to educate end users to recognize when an email doesn’t look right and enabling them with a mechanism to report it to the security team, it is only part of the solution. It only takes one user to open an attachment that they should not have to cause a problem.

This is where machine learning (ML) and artificial intelligence (AI) can play a large part in the defense of a network. ML and AI can analyze files and network traffic at line speeds and determine if that content has the potential to do something malicious. A Microsoft Excel spreadsheet with a macro that calculates commissions for a sales team is likely legitimate, but a spreadsheet that executes a Microsoft PowerShell command to download a piece of code is probably not.

A well-trained workforce is a key part of network defense, but it doesn’t scale. An effective defense needs to analyze traffic as it comes across the network and stop it before it makes it into users’ inboxes.

The good news is that the Speculative Code Execution in BluVector Cortex was created to help with the detection of fileless malware within an organization’s network environment. If you’re already a customer, you already have this capability.

Adwind RAT Targets U.S. Petroleum Industry

What Is It?

A new campaign utilizing the Adwind RAT (Remote Access Trojan) and specifically targeting organizations within the U.S. petroleum industry has been discovered by researchers at Netskope. The Adwind RAT is also known as AlienSpy, Frutas, jRAT, JSocket and Sockrat and is written in Java, allowing it to execute on Windows, Linux and Mac systems.

Adwind is available for sale by its authors on the dark web via a malware-as-a-service (MaaS) offering, where attackers pay a fee in order to use the malware in their malicious campaigns. Adwind has been available for a number of years and reports state there were approximately 1,800 unique customers at the end of 2015.

Adwind contains functionality expected of a RAT, including the ability to log keystrokes, steal credentials stored on the system or entered on web pages, take screenshots or audio and video, manipulate files, steal cryptocurrency keys and VPN certificates and download and execute other malware. Netskope found that the attackers behind this campaign were using Adwind as a reconnaissance and exfiltration tool to acquire credentials, documents and other files, such as SSH keys to allow the attackers to move laterally through the network.

The Adwind malware itself isn’t particularly sophisticated at a code level and Netskope believes the variants in this campaign weren’t using the latest versions. However, what makes this campaign noteworthy is the use of multi-level obfuscation and encryption as an attempt to evade detection by legacy security products, including anti-virus. The initial malicious Java JAR file infects systems at targeted organizations as an attachment or a link in a malicious spam email. This JAR file copies itself to the user’s directory and runs the copy, which then decrypts and executes the next stage, which in turn then creates the final JAR payload.

Netskope found the author’s time and effort was well spent creating the multi-level obfuscation and encryption. When the samples were initially scanned by the VirusTotal service, the initial sample was only detected by five products, whereas the final, unobfuscated sample was detected by 49. Clearly their techniques were successful at evading detection by legacy anti-virus products.

After the fact, these products can now create signatures to detect this specific initial sample, however, BluVector Cortex was capable of detecting both these samples months prior to them even being created.

How Does It Propagate?

The Adwind malware does not contain the necessary code to self-propagate. Malicious spam emails containing a link or attachment are used to compromise systems at targeted organizations.

When/How Did BluVector Detect It?

Both the initial and final malicious JAR samples were detected by BluVector’s patented Machine Learning Engine (MLE). Regression testing has shown these samples would have been detected for an average of 30 months prior to their release.


PcShare Malware Brings a Fake Narrator

What Is It?

Researchers from Cylance’s research and intelligence team have detailed an ongoing campaign called PcShare by a suspected Chinese APT (Advanced Persistent Threat) group targeting heavy industrial organizations in South East Asia, including the Philippines and Taiwan. The attack, comprised of two components, starts with is a customized variant of a Chinese open source remote access trojan (RAT), PcShare, which is then followed by a trojanized screen reader which replaces the Narrator utility, part of Microsoft Accessibility Features supplied with Microsoft Windows 10.

The source code for several versions of PcShare is available on GitHub, however the version used by these attackers is heavily modified and employs techniques intended to make detection, especially by legacy anti-virus products, more difficult. Firstly, the code for any functionality not required by the attackers has been removed, which not only makes the code smaller and more efficient, but is likely intended to make signature-based detection less likely. Next, the attack uses a technique known as “DLL side loading” to use a legitimate application to load malicious code into memory and execute it. In this case, a component of the NVIDIA graphics driver is used to achieve this.

The malicious payload is encrypted with the most basic method of a XOR operation using a single byte as the encryption key. However, as an anti-analysis mechanism against manual or automated sandbox analysis, the single byte encryption key is calculated based on the name of its parent process. Once decrypted, the payload is loaded in RAM without ever being saved to disk, again attempting to avoid detection by endpoint security software. These techniques are all relevant in the context that the malware is executing on an endpoint and have no impact on BluVector’s network detection capabilities.

Some of the functionality removed from publicly available PcShare versions relates to audio/video streaming and keylogging. However, the attackers have added the ability to encrypt C2 (command and control) traffic. The have also added code to obtain proxy authentication credentials stored on the infected system. As most corporate networks utilize proxies; this allows the malware to communicate in such an environment. As a RAT, functionality exists to manipulate files, running processes, registry keys and to download and execute other code.

One such piece of code is the so-called fake Narrator malware. The purpose of fake Narrator is to allow the attackers to remotely obtain access to a command prompt, with system level privileges, without authentication. Prior to installing fake Narrator on an infected system, the attackers will rename the legitimate Narrator executable. When fake Narrator has been enabled at the logon screen via Ease Of Access, it runs the legitimate Narrator and creates a hidden, overlapped window. It then monitors keystrokes for a hardcoded password which, if received, allows the attackers to run any application with system privileges on the logon screen. The infected system is now completely compromised and remotely accessible by the attackers.

How Does It Propagate?

The malware discussed here does not self-propagate. The infection vector is not known. However, the most likely vector is social engineering, either as a malicious attachment or downloads performed by malicious documents or links.

When/How Did BluVector Detect It?

Three samples of PcShare are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Despite the samples being first seen in the wild up to 15 months ago, regression testing has shown the samples would have been detected an average of 47 months prior to their original release.

Emotet Returns After a Summer Break

What Is It?

First discovered in 2014, the Emotet trojan has previously been the subject of several Threat Reports. Initially a banking trojan, it has since evolved to focus on the sending of spam emails and distribution of other malware. This change in functionality might be tied be more profitable option for its authors.

In early June 2019, it was observed that its C2 (command and control) servers had stopped communicating with infected systems. Researchers posited this would be a temporary shutdown and were proven correct, as C2 traffic restarted on August 22nd. After the restart, it appears that the authors performed some housekeeping on their infrastructure, such as removing fake bots attempting to communicate to the C2 servers and preparing the next campaign.

In mid-September the new campaign began, aimed at users in the U.S., the UK, Poland, Italy and Germany. This was a widespread campaign, with spam emails received by home users in addition to corporate and government organizations. Researchers from Cofense Labs found emails from this campaign were sent to users at more than 30,000 domain names and came from 3,362 unique senders at 1,875 domains. The sender’s email credentials had previously been stolen. The spam emails used mainly financially orientated lures, such as overdue bills or payment receipts and were written in the language (English, Polish, Italian and German) matching the domain they were sent to. True to form for Emotet, the attachments to these emails were Microsoft Word documents with malicious macros. Once the Emotet trojan was installed, the Trickbot trojan was downloaded, which frequently results in a tertiary infection of Ryuk ransomware.

The campaign described above has been followed up with another beginning this week. Utilizing another oft-used technique from the attacker’s playbook, the lure of this campaign is that the attachment is a Microsoft Word copy of the highly-publicized and controversial new book by Edward Snowden.

Researchers from Malwarebytes Labs found examples of these spam emails in English, French, Spanish, German and Italian. When the user opens the Microsoft Word document, it uses a similar social engineering technique to the previous campaign to convince users to provide the necessary permissions to allow the malicious macro to execute. In this case, it states Word has not been activated and in order to continue using it, they must enable editing and enable content.

Emotet continues to be an extremely dangerous and prolific threat, in most cases a triple threat of Emotet, Trickbot and Ryuk. The potential end result being the theft of data and credentials followed by encryption of user’s data.

How Does It Propagate?

Emotet uses malicious Microsoft Word documents attached to spam emails as its initial infection vector. However, Emotet also contains a list of frequently used passwords which it uses to attempt to access and infect other systems on the network.

When/How Did BluVector Detect It?

Samples are publicly available from both Emotet campaigns described above and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown samples of both the malicious Microsoft Word documents and the Emotet trojan would have been detected for up to 69 months prior to their release.