IB-company McAfee blocked access to malicious software, distributed, as it turned out, from the company's network. The malware was kept on a third-party site, but it was distributed through the domain associated with the McAfee ClickProtect service. Ironically, the service is designed to protect email users from phishing emails and links that spread malware.

A malicious link was discovered by a French security researcher using the pseudonym Benkow. The expert found and published a link containing an analytical report on malware. The link redirected users through the cp domain. mcafee. com to a malicious Word document, after downloading and opening it to the victim system, the banking Trojan Emotet. The download of malware started when the user allowed to activate macros.

After installing the Trojan, I collected passwords from the infected system and sent them to my C & C server.

According to the IB expert Marcus Hutchins, the malicious client connects to the C & C server using stitched IP addresses, but uses a proxy to circumvent detection.

The wreck, first discovered in 2014, returned again in September of this year. As previously reported by SecurityLab, researchers from Trend Micro recorded a new campaign for the distribution of Emotet. The main vector of infection are phishing emails, disguised as accounts and notices of payment.

How the link appeared, by mistake or was created by hackers, is unknown. The reasons for the return of Emotet also remain a mystery.