A recent article, this time from GBHackers, brings to light yet another way that hackers are getting quick and easy gains – Banking Malware. Banking malware, in this case the Emotet variety, is a banking trojan that can steal key personal information used for online banking such as usernames and passwords. Having first been introduced in 2017, this is one of the costliest banking trojans to date, typically spreading through large spam campaigns.
The spam email starts with an unassuming invoice email that urges the recipient to clear the outstanding amount, with a link that they can click to complete payment. This link has recently been linking to an XML document with a .doc extension. With the ubiquitous nature of Microsoft Word, especially with the prevalence of Office 365 use in most organizations, this .doc file will open up in Microsoft Word by default. Since the document has macros, if enabled, the infection process begins, getting the Emotet malware through the door. Once the infection has happened, Emotet starts intercepting logs and saves outgoing network traffic via a web browser, leading to sensitive data being collected and used to access the victim’s bank accounts. Not only that, the Emotet malware is enabled to further download the Qakbot malware, that installs itself on the victim’s machine, copying itself to another directory and disguising itself as a calc.exe program. Combined, these two pieces of malware are capable of monitoring browsing activities, logging all finance-related information and transactions.
Unfortunately, the above events play out a lot more frequently than most would like to think; despite users becoming more wary of spam emails and with users becoming more savvy against clicking on emails from unknown sources. In some cases, the same malware could be used in targeted phishing attacks, in which case, the emails may be from sources that the users know or “believe” they know. In any event, once the file gets through to the endpoint, the possibility of infection increases astronomically.
The question becomes, what is the best solution for protecting against this sort of attack? Most solutions out there rely on “Detect and Remediate”, which unfortunately allows malware to get into the door and onto the endpoint through their web or email. Wedge’s solution is different. We believe in the “Detect and Block” approach; detecting and blocking in real-time so that these attacks don’t have a chance to get through to the endpoint. With Wedge’s Advanced Malware Blocker, we use our patented Deep Content Inspection, which gives our solution the ability to reconstruct the full content and to “see” the intent of the content, scanning it with signature-based scans, heuristic based scans and an artificial intelligence neural engine; all of this in real-time and before it hits your endpoint. WedgeAMB would be able to detect and block the malware in real-time before it had a chance to be seen by the end user, thus taking any possibility of infection out of the equation. With Deep Content Inspection and the various scanning engines, the “intent” of the content can be determined, even if the malware is a new variation or new, never-before-seen malware, it will be scanned and blocked as soon as its mal-intent is revealed.
So, if you are interested in protecting your organization from attacks such as those driven through weaponized word documents, feel free to get in touch with our team at firstname.lastname@example.org. We offer a FREE 90 day trial of the Wedge Advanced Malware blocker. What have you got to lose?