The attack is typically launched via vishing, with the hacker convincing the victim to dial a Man Machine Interface (MMI) code that will enable call forwarding when the line is busy or the network is unavailable. These MMI codes typically begin with a '*' or a '#'. The attacker will pose as a representative of a bank, phone company, or government agency, and will sound convincing. When the victim enters this code, all of their phone calls are forwarded to the attacker's phone number. Once the victim enters the code, the hacker will initiate the WhatsApp recovery process for the victim's Whatsapp account on their device, with the option of receiving OTP via phone call. Because the phone is engaged, the code is sent directly to the attacker's phone. The hacker is able to complete the registration process as soon as the OTP is received, taking over the victim's WhatsApp account while they are logged out.
The malware is distributed via an elaborate phishing campaign that includes malware-laden attachments – most of which are Microsoft Office files. Among the other attachments are archives, executables, and scripts. To gain access, the malware exploits the Microsoft Office Memory corruption vulnerability, CVE-2017-11882. An Office attachment is used to detect 45 percent of this malware. There were 33 percent spreadsheets, 29 percent executables and scripts, 22 percent archives, and 11 percent documents among these attachments. Additionally, 14 percent of the email malware has bypassed at least one email gateway security scanner before it was captured. Other notable differences in Emotet's latest incarnation include the use of 64-bit shell code in attacks, as well as more advanced PowerShell and active scripts.
The Emotet Botnet is intended to steal credit card information from Google Chrome user profiles. The credit card stealer module appears to be designed specifically for Google Chrome. The malware sends the credit card information extracted from the user's Chrome profile back to its command-and-control (C2) server. However, the C2 server to which the information is sent is not the same as the one that deployed the card stealer.
The Google Play Store, the official Android app distribution platform, is used for delivery. The adware infections can degrade the user experience, deplete the battery, generate heat, and even cause unauthorized charges by displaying unwanted advertisements. Furthermore, the malware generally attempts to conceal itself by masquerading as something else on the host device and earns money for remote operators by forcing the victim to view or click on affiliated advertisements. The identified apps are:
The primary mode of distribution is via shady cryptocurrency websites that try to get the intended victim to manually download apps in the form of APKs to install on their devices. There is also an ongoing smishing (phishing via SMS) campaign to garner app installs. Upon installation, the malicious app will seek permissions which will include the Accessibility API. Gaining access to the Accessibility API allows the malware to remain persistent on the infected device and perform actions without the need for user interaction. The malware will then connect to the Command-and-Control (C2) server and send out a list of apps installed on the infected device. The goal is to determine which banking apps the victim is using so that the C2 can send matching overlays of the login screen to facilitate credential theft. The malware has been found in clones of legitimate applications such as TheCryptoApp and a bogus cryptocurrency mining app called Mining X.
The attack begins with an email to the intended victim informing them that their Facebook page is in violation of Community Standards and will be deleted if they do not appeal within two days. The user is then encouraged to click a big, bold, blue "Appeal Now" link, which will take them to the "support inbox."
By clicking the link, you will begin a Messenger conversation with a chatbot whose Facebook page is called "Page Support" and has no followers and little to no activity. The chatbot will then send a brief message explaining why the user's page has been marked for "permanent deletion," and will inform the user that they can appeal by clicking another "Appeal Now" link. By clicking on this link, the victim will be directed to a website that is not under the control of Facebook. In order to process the appeal, the phishing page (appeal-59321958.web.app/appeal.html) will request certain Personally Identifiable Information (PII). The victim's email address, mobile phone number, name, and page name are among the details requested. When you submit this form, a pop-up window will appear asking for your account password. Once the password is entered the victim will be taken to a fake Facebook page requesting for a two-factor authentication code. Checks have revealed that this page will accept any code, as it is just there to make the whole process seem legitimate. After this is done the victim is redirected to Facebook’s real intellectual property and guidelines page.
The SessionManager backdoor is installed as a malicious module within Internet Information Services (IIS), a Microsoft-developed flexible web server that provides web hosting services for Microsoft solutions. According to Kaspersky, its detection rate is also cause for concern because some of its samples were not detected by some of the more popular "online file scanning services.”
Some of SessionManager’s capabilities are: