Suspicious Link, a malware research Twitter personality who follows suspicious links, tweeted about a recent discovery. Someone is replacing Emotet payloads with gifs of James Franco.
To explain this phenomenon in more detail, Emotet is a known Trojan malware. However, other malware will deliver it. This involves looking at a specific url, pulling the data from there, and then “dropping” malware as a “payload”. A common attack vector is using spam messages to convince an intended victim to enable insecure content in a document. Once that victim takes the action a “malware dropper” will pull down other more malicious malware (such as Trojans and Ransomware).
However, that’s not what’s happening here.
#emotet #opendir https://t.co/F2kOFI8lqU
hXXp://www.worldfleetbd[.]com/websiteguide/pnGM26908/
opening it in a browser just gives you james franco though pic.twitter.com/zxe6MobhhB— Suspicious Link (@killamjr) July 22, 2020
Suspicious Link noticed that the url where Emotet should be pulled from instead contained an animated gif of James Franco expressing confusion. On the internet, this gif is commonly used as a reaction of intrigued surprise. In other words, the Emotet Trojan got swapped out for a joke.
Other malware researchers on Twitter posted similar results from other Emotet delivery methods. These locations had different comedic gifs.
Interesting – yesterday I saw this one from hxxp://kharkhorin[.]cd[.]gov[.]mn/cgi-bin/public/edduq0xdu1d (not getting anything from there now) pic.twitter.com/DWrSAxTtuB
— ExecuteMalware (@executemalware) July 22, 2020
Kevin Beaumont, Senior Threat Intelligence Analyst for Microsoft, noted that since the vigilante swapped out the Emotet payloads with a gif that the Emotet malware didn’t drop. In other words, even if somebody didn’t have an antivirus installed and they enabled some suspicious content, Emotet would not get dropped on to the target PC. The joke was on the hackers.
Here’s an example of a doc from last night from AnyRun, all the payloads were replaced and so Emotet didn’t drop, even if the victim had no security controls. pic.twitter.com/eBaYP4i5Lw
— Kevin Beaumont (@GossiTheDog) July 22, 2020
This is a story that’s still developing. It’s unknown who the vigilante(s) is/are. Whether they’re state sponsored actors, individuals, a rival malware team, or even a group who delivers Emotet trying to cover their tracks is still unknown. Regardless, the internet was both a little bit more safe and a little bit more silly last night.
For an in depth look at Emotet, take a look at this VIPRE labs post.
The post Vigilante(s?) Troll Emotet Malware appeared first on VIPRE.
