Over the past few weeks, a new piece of banking malware identified as EMOTET has been spreading through Germany, and now the US, through spam emails. According to Joe Salvio with Trend Micro, once introduced to a system, EMOTET downloads a configuration file with information on the banks it is targeting. It also downloads a file that intercepts and logs network traffic.
For a full run-down on EMOTET and how it works, check out this article at SC Magazine.
Malicious browser extensions are nothing new and their numbers have been increasing steadily over the past year. Until now, these extensions have primarily been used to perform click fraud by placing bogus advertisements into websites or hijacking search queries. EMOTET represents a much more harmful evolution of the malicious browser extension. There are a few notable characteristics of EMOTET that distinguishes it from other malware:
- Its network-sniffing ability captures data sent over secured HTTPS connections without the user ever knowing. In other words, a user’s browser may show that they are working on a secure connection while the EMOTET code sits at the network-interface level to snoop traffic. This goes beyond snooping banking site credentials. With EMOTET, the information is intercepted before it hits any browser level encryption. So the bad guys can monitor 100% of anything sent over the network even if you are encrypting the connection.
- Because it sits at the network interface level, EMOTET does not have to rely on phishing pages or form field insertion to capture information.
- The code needs to be customized to the platform being targeted. At the moment, EMOTET is targeting Windows. But it could be easily tweaked to target Linux, OSX, and other platforms.
EMOTET is a very dangerous, clever bit of code. And according to research reported by PC World, many security measures simply are not intended to protect against an EMOTET-type of attack. The entire article is worth a read, but one analysis that stood out was the examination of a service that isolates applications by running them in a traditional sandboxed environment. According to the product description, this will trap any malicious code inside the sandbox where it can be ‘discarded trivially.’ Even in this scenario, EMOTET is dangerous. It may not be able to write to local storage outside the sandbox, but it can still log keystrokes or sniff out information -- passwords, authentication cookies -- stored in the sandbox itself.
But in order to work, it must first be installed on a user’s system through a browser. With Silo, we support plug-ins installed at the administrative level, but have policies that prohibit user-added browser plug-ins or interfaces that add system-level files or make system changes. In addition, Silo operates on a heavily customized version of Linux that defends against many common memory-based exploits and the browser is run in a hardened environment. To attack a user running Silo, the bad guys would not only have to know the specifics of our configuration in order to adjust EMOTET properly, they also would have to breach our browser environment. In addition, each user has their own sandbox with its own SSL connection so there is no single access to common resources. In addition, the user’s sandbox and all the data it contains is deleted -- wiped clean -- after each session.
This does not mean that Silo users are invulnerable to compromise. If a user browses outside Silo, EMOTET may find its way onto the machine they use to connect to Silo. Once installed, it wouldn’t be able to capture the data sent over Silo, but it could capture keystrokes and screenshots. However, users who manage their passwords in Silo would still be protected because credentials are supplied from our cloud-based datacenter, not the local machine.
The strongest defense against malware like EMOTET is to connect through an environment like Silo that never allows the code onto the user’s computer in the first place.