McAfee, the world-renowned security company has blocked access to malware that seemed to be sent from its own network. The malware was hosted on some other website but was made available via a domain related with McAfee Click Protect. Click Protect is basically an email protection service that the company advertises as able to “protect your business data and information from being hacked”. The main purpose of this service was to offer high-end protection against malware links in emails, phishing scams. It was also protecting the users from visiting the websites that are known to be malicious.
Such malicious or infected link was only found when a Paris-based security researcher, who use of pseudonymous handle Benkow, found and then tweeted a malware analysis report incorporating that URL.
The URL redirected the customers through the “cp.mcafee.com” domain and on to the infected Word document. Any user who downloads and opens this document gets exposed to the Emotet banking malware. Segura, lead malware intelligence analyst at Malware (security firm) said that “This malware has been widely spread via malspam campaigns, which further contains links to hacked websites that have a decoy Word document.
He also said that “on opening the document and permitting macros, the user unintentionally hits the download of the Emotet malware binary. The malware makes the use of a traditional macro-enabled Word document, mostly delivered by a direct URL or in an email. When you open and activate this URL, it will automatically download additional files using a PowerShell script, which includes the Emotet malware binary.
Once installed, the malware phones home to its command and control server where it siphon off the confidential data, including email passwords, banking information, web browser passwords that can be used to access your accounts and transfer funds. The malware communicates to the commands well as control server by using hard-coded IP addresses, but it uses proxies to avoid detection, said security researcher Marcus Hutchins in a latest write-up.
According to a spokesperson from McAfee, the URL in question had not yet been detected as a source of malware propagation. In the later hours of November 13, McAfee Global Threat Intelligence Service had identified this property as a major threat, changed the website’s reputation ranking from low risk to high risk. Soon after, the security firm blocked all the McAfee Activate from being able to access this website.
By the time McAfee’s research team became aware of this threat and the website’s status from the email sent by ZDNet, it was already blocked for some time, said the spokesperson in a report. But, shortly up until McAfee statement about the blocking of the website, the link was still active and pointing to the malicious Word document. However, it is not clear why the service would mark the site as high risk but would still permit the malware to download.
The spokesperson then said that McAfee was still working to generate the exact timeline of disabling of that download link. The source of the link is not known as if the link was created by the hackers to deceive unsuspecting victims into downloading the malware or if it was by mistake. It was not a result of deliberate abuse of the system, he added.
But hackers have increased their use of Emotet malware in past few months, and they are continuously increasing resorting to sending properly crafted emails and employing social engineering techniques. The hackers cause the malware often masquerade as cell, phone and internet providers. The prime focus on the hackers is on the customers of McAfee in US, UK and Canada. Users should be more careful of shortened or converted links as they could be infected and take you to the same Word document, which will further result in downloading of the Emotet malware binary.
The same is the case for signatures mentioned at the footer of an email, mentioning “this email is guaranteed virus-free or similar, the spokesperson added. “Not only does it give users a false sense of security, but criminals often also add such messages for social engineering purposes.”