Security researchers have disclosed an Emotet attack campaign that leverages SMS messages that are seeking to trick victims into handing over their details. The attack involves sending SMS messages to victims pretending to be from their bank. When a link is clicked the users is asked for their banking credentials and download a file.
The file is infected and can overtake their system using the Emotet malware. Researchers with IBM X-Force say that attack method could be linked to the TrickBot trojan.
Attackers are using a form of attack called “smishing”, which is like Phishing but functions through SMS instead of email. Messages are designed to look like they come from a legitimate bank associated to the victim.
It is another example of Emotet being used since it returned in October. Earlier this month we reported on how the malware was used to make Wi-Fi networks vulnerable. Attackers are using a new Emotet malware method to attack open Wi-Fi networks and access user machine systems.
For the smishing campaign, IBM X-Force says it shows how Emotet is becoming increasingly dangerous.
“Emotet’s operator, the Mealybug gang, has varied its activity levels over time, sometimes going into lengthy lulls and periods of low-volume activity,” said researchers in a Wednesday analysis. “Since late 2019, Mealybug has been pushing its activity through various channels, including spam, sextortion emails, SMiShing and ploys like fake Coronavirus warnings that were spread in Japan.”
Attack
SMS messages sent to victims appear to be sent from the United States and mimic bank messages. In the contents, the messages warn users their bank account is locked. They are told to click a link to unlock the account. Like all similar attacks, the success depends wholly on the user being tricked into clicking the link.
That link leads to a domain that distributed Emotet. However, the page is designed to look like a regular mobile banking page.
“Knowing that Emotet is one of the ways TrickBot payloads are dropped to infected systems, there is a possibility that this attack is a targeted campaign designed to enable the spread of the TrickBot trojan,” researchers said.
