Emotet (also Geodo, Feodo) is a banking trojan (discovered by Trend Micro in 2014) that targeted German and Austrian banking clients. In 2015, Kaspersky published findings of a variant targeting Swiss banking clients. Differences in this version included a new public RSA key (replacing the previous version) and removal of comments and debugging information from the Automatic Transfer System (ATS) script. This script enabled the automatic transfer of funds from the infected users bank account to the cyber criminal's.

Recent detection and reporting of the malware's activity have originated from two sources. The attack's target users are in two different geographic regions, yet both were active in April 2017. Both took similar courses of action, indicating the possibility of the same attacker.

The first report came from Polish CERT after detecting a large e-mail phishing campaign. This campaign imitated delivery notifications from DHL and contained a malicious link. This link pointed to a dropper, which downloaded and executed the malware.

The second campaign targeted email addresses with .UK TLDs, as reported by ForcePoint. This phishing campaign imitated legitimate telephone bills, with emails contained a link downloading a JavaScript (JS) file. After running the file, an error message was displayed. Clicking OK starts the infection, and the malware can then communicate with its Command and Control (C&C) server.

The Center Of Internet Security (CIS) reported a third campaign in April of 2017. This campaign targeted federal, state, local and territorial (FSLTT) groups in the US. Phishing emails were sent with high priority and imitated bill notifications. The difference here is a PDF attachment containing a link to a JS file intended for the recipient.

It's worth noting that the UK and US campaigns have stark similarities. This shows that the operators have expanded the scope of their targets.

Enabling the following targets in policies for ThreatSTOP DNS and IP Firewall Services, protects against Emotet/Geodo/Feodo:

  • TSCritical
  • Feodo (Expert only)
  • Botnets (which includes the Feodo and TSCrit targets)
  • Banking Trojans

If you do not have a ThreatSTOP account, Sign up for a free trial.

If you do have a ThreatSTOP account, instructions to add targets to a DNS or IP Firewall policies are available on the ThreatSTOP Documentation Hub. Or contact our Support team.