Antivirus company McAfee has sent a malware loaded file to customers who were using its anti-hacking service. The Emotet banking malware was loaded into a Word file that was sent to users of the McAfee ClickProtect email protection service.
The malware was hosted on a third-party website but was shared via a domain associated with the project. It is ironical the company actually advertises the service as capable of “protecting your business from hacking.” The service is designed to protect users against phishing attacks and malware links. It also protects users from harmful sites.
The link was discovered by a French researcher Benkow, who tweeted about it in a malware analysis report.
The link redirects users through the “cp.mcafee.com” domain. In case you download the Word document, you will be exposed to Emotet.
Emotet is a banking malware that obtains a user’s financial information by injecting malicious code into the network stack of a user’s computer. This malware is generally delivered using URLs hidden in emails, PDFs and Word documents.
"Emotet has been widely distributed via malspam campaigns containing links to hacked sites that host a decoy Word document…Upon opening it and allowing macros, the user unknowingly triggers the download of the Emotet malware binary, also retrieved from a compromised site," Jerome Segura, lead malware intelligence analyst at security firm Malwarebytes, said in an email to ZDNet.
The malware distributed through the McAfee ClickProtect service is triggered immediately when the user opens the infected document. It also downloads additional information using a PowerShell script.
Once it is installed, it siphons off information such as passwords and card numbers. It is then used later to hack into the user’s accounts and electronically transfer their finances. It can also hack into the command and control center of an infected computer and use hard-coded IP addresses, which will create proxies and avoid detection.
However, McAfee insists the service is working well.
"In the early hours of Nov. 13, the web destination in question had not yet been identified as a source of malware propagation. Later that day, however, McAfee's Global Threat Intelligence service had indeed identified the web property as a threat, changed the site's reputation ranking from 'low risk' to 'high risk,' and thereafter blocked McAfee customers from being able to reach the site," a spokesperson for the company told ZDNet on Thursday.
The company said it blocked the infected document. However, ZDNet reported the link was working until Thursday and even though the service marked the infected file as high-risk, it hadn’t been blocked yet.
Emotet is a high-risk malware and its surfacing could mean that many users might be at risk.
“Users should beware of shortened or converted links and perhaps even more so when there might be assumptions that they are safe. The same goes for signatures appended at the bottom of an email, saying 'this email is guaranteed virus-free' or similar," he added. "Not only does it give users a false sense of security, but criminals often also add such messages for social engineering purposes," Antivirus researcher Jerome Segura told ZDNet.