<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p><img src="https://info.threatstop.com/hubfs/emotet1.jpg" alt="emotet1.jpg"></p> <p><strong>Emotet</strong> (also <strong>Geodo</strong>, <strong>Feodo</strong>) is a banking trojan (discovered by <a href="http://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/">Trend Micro</a> in 2014) that targeted German and Austrian banking clients. In 2015, Kaspersky published <a href="https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/">findings</a> of a variant targeting Swiss banking clients. Differences in this version included a new public RSA key (replacing the previous version) and removal of comments and debugging information from the Automatic Transfer System (ATS) script. This script enabled the automatic transfer of funds from the infected users bank account to the cyber criminal's.</p> <!--more--> <p>Recent detection and reporting of the malware's activity have originated from two sources. The attack's target users are in two different geographic regions, yet both were active in April 2017. Both took similar courses of action, indicating the possibility of the same attacker.</p> <p>The first report came from <a href="https://www.cert.pl/en/news/single/analysis-of-emotet-v4/">Polish CERT</a>&nbsp;after detecting a large e-mail phishing campaign. This campaign imitated delivery notifications from DHL and contained a malicious link. This link pointed to a dropper, which downloaded and executed the malware.</p> <p>The second campaign targeted email addresses with .UK <a href="https://dochub.threatstop.com/display/TS/T#T-_tld">TLD</a>s, as <a href="https://blogs.forcepoint.com/security-labs/new-variant-geodoemotet-banking-malware-targets-uk">reported</a> by ForcePoint. This phishing campaign imitated legitimate telephone bills, with emails contained a link downloading a JavaScript (JS) file. After running the file, an error message was displayed. Clicking OK starts the infection, and the malware can then communicate with its Command and Control (<a href="https://dochub.threatstop.com/display/TS/C#C-_c&amp;c">C&amp;C</a>) server.</p> <p>The <a href="https://www.cisecurity.org/emotet-changes-ttp-and-arrives-in-united-states/">Center Of Internet Security</a> (CIS) reported a third campaign in April of 2017. This campaign targeted federal, state, local and territorial (FSLTT) groups in the US. Phishing emails were sent with high priority and imitated bill notifications. The difference here is a PDF attachment containing a link to a JS file intended for the recipient.</p> <p>It's worth noting that the UK and US campaigns have stark similarities. This shows that the operators have expanded the scope of their targets.</p> <p>Enabling the following targets in policies for ThreatSTOP DNS and IP Firewall Services, protects against <strong>Emotet</strong>/<strong>Geodo</strong>/<strong>Feodo</strong>:</p> <ul> <li>TSCritical</li> <li>Feodo (Expert only)</li> <li>Botnets (which includes the Feodo and TSCrit targets)</li> <li>Banking Trojans</li> </ul> <p>If you do not have a ThreatSTOP account,&nbsp; for a free trial.</p> <p>If you do have a ThreatSTOP account, instructions to add targets to a <a href="http://dochub.threatstop.com/display/TS/ThreatSTOP+DNS+Firewall#ThreatSTOPDNSFirewall-DNSFWPolicy">DNS</a> or <a href="http://dochub.threatstop.com/display/TS/ThreatSTOP+IP+Firewall">IP</a> Firewall policies are available on the ThreatSTOP Documentation Hub. Or contact our&nbsp; team.</p></span>
![SolarWinds attackers targeted Government Agencies using theyardservice[.]com](https://www.threatstop.com/hs-fs/hubfs/Government%20-%20FB.png?width=600&name=Government%20-%20FB.png)
