Another Emotet banking trojan campaign is spreading, warns Canadian managed security provider

A Canadian security vendor  has warned of seeing evidence of an increase in the number of customers successfully infected by the Emotet banking trojan.

eSentire, a Cambridge, Ont.,-based managed security provider, said last week the malware is being spread via fake invoice email attachments. As part of the invoice there’s a Microsoft Word document users are asked to download and enable Word macros. That document leads to the downloading of payloads from command and control servers. When one machine is infected the malware moves laterally through a network by using the default $admin SMB file share across Windows machines. Depending on the infected user’s permission level, persistence can be gained through registry run keys or a service.

“Samples observed employed randomly generated file names by victim asset and altered its file composition on disk at regular intervals to evade detection based on file hash,” eSentire said in an advisory.

According to a detailed analysis earlier this year of the trojan by Malwarebytes, Emotel — which has been around since 2014 — Emotel has been able to evade many tools for attacking it because the makers often change the code. These changes range from slight variations to drastic changes such as moving from a VBA project to PowerShell scripting.

(Image from Malwarebytes)

“Emotet is one of the most active threats seen in the wild, with campaigns serving this malware daily to potential victims across the globe,” said Malwarebytes. “The level of code obfuscation and encryption used to hide the code is quite complex and well-executed. In fact, it is one of the most complex downloaders in circulation.”

eSentire advises infosec pros to

  • conduct user awareness training around spam emails and suspicious documents
  • implement the principle of least privilege to limit the chance of an attacker gaining administrative access. The malware requires local administrative access on the remote system in order to copy and execute from the $admin SMB share
  • ensure the use of strong and unique passwords across the corporate environment
  • disable macros from running within Microsoft Office documents
  • software restriction policies (SRP) should be deployed in order to allow only known applications to run and prevent the execution of files from temporary directories
  • ensure that anti-virus software conducts scans in regular and frequent intervals
  • segregate networks and business functions
  • perform out-of-band network management on critical devices
  • block or restrict access to SMB file shares if it doesn’t obstruct access to shared files, data, or devices.


Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now