Hello, welcome to the Friday, November 16th, 2018 edition of the Sands and its Storm Center's

Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Pratt today wrote up his latest findings regarding the Emotad Malware.

Now, Imotad has a number of different ways how it usually arrives, but often it does arrive

with the good old Word document with macros.

It can also first trick you to download the Word document by clicking on a link or by embedding

the link in a PDF.

But ultimately, you will end up with a Word document, you have to enable macros, and then Emotet starts and does its thing. Now,

over the years Pratt has documented a number of different payloads that have been spread by

Emotet. The latest one he's looking at is a banking trojan.

Now Imotet started out with its own banking trojan. Then I think it was last month. Brad

actually wrote about how Imodet was used to spread Suspanda, which is another popular banking trojan.

The latest one that Brad saw pop up on Wednesday was Iced ID.

Yet another banking trojan, and again, Emotet is just used as the delivery vehicle.

Apparently the way this works is that the crew behind Emotet does rent out its services

and then does install these banking trojans for other groups.

Sad part, of course, is yes, it still works.

We still have people that will happily enable macros.

And exposed container services are of course a nice target for an attacker that tries to deploy

their own workload.

Latest example here is a blog by Juniper that looks at how Docker servers are being used in order

...