momius - stock.adobe.com
Emotet phishing botnet returns from summer vacation
The Emotet phishing trojan-turned-botnet is back in action after a three-and-a-half month break, say threat researchers
Cyber security threat researchers at multiple companies have reported that the prolific Emotet email trojan-turned-botnet has re-emerged as an active threat to inboxes after an apparent summer hiatus lasting three-and-a-half months.
One of the most widely distributed and dangerous email attacks of the past few years, the resurgence began early on the morning of Monday 16 September, hitting targets across Europe and the US, with the latest attack introducing Spanish and Italian language variants for the first time.
Threat researchers at MalwareBytes said there had been signs for a few weeks that the botnet was preparing to ramp up its activity after they observed command and control (C2) server activity, and they were now observing significant volumes of phishing emails, usually under the subject line “Payment Remittance Advice”.
The sophisticated spear phishing emails are frequently personalised to their victims, and lure targets into opening an attached or linked document – usually Microsoft Word – and enabling a macro to download Emotet from compromised websites. These sites, MalwareBytes reported, are often running on the WordPress content management system (CMS), although other delivery techniques, such as downloader scripts, are also in use.
Infected endpoints will then propagate Emotet laterally to other endpoints on the same network, stealing credentials from installed applications and spamming contact lists. It also serves as a delivery mechanism for other more dangerous ransomware payloads.
Targeted attack
Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, said operators launched a mid-sized campaign – hundreds of thousands of messages – on 16 September targeting organisations in Austria, Switzerland, Germany, Spain, the UK, Italy, Poland and the US.
“This is notable because Emotet was one of the most disruptive threats of the past year, with consistent large-scale campaigns,” she said. “While the lures were generally not sophisticated, they were localised and geo-targeted; the malware, originally a banking trojan, was used more recently to download other malware (including bankers) and distribute spam with modules for launching additional attacks and stealing credentials.”
DeGrippo noted that although it was not uncommon for the criminals behind such threats to wind down to retool and develop their attacks, or even sometimes to take a holiday themselves, the length of the Emotet hiatus was somewhat unusual, particularly given the threat’s prominence.
Colin Grady, William Largent and Jaeson Schultz of Cisco’s Talos threat research team said that five years after its debut as a banking trojan, Emotet had now evolved into one of the world’s most dangerous botnets and malware droppers for hire.
However, they said Talos already had multiple new indicators of compromise (IoCs) to protect its customers, and past Snort intrusion detection system coverage was still effective against it, alongside traditional security best practices, such as not opening unexpected attachments to begin with, being wary of emails that seem to be unexpected replies to old threads or are otherwise out of context, using stronger passwords, and opting into multifactor authentication if offered.
Effective distribution
“One of Emotet’s most devious methods of self-propagation centres around its use of socially engineered spam emails,” the trio wrote on the Cisco Talos security blog. “Emotet’s re-use of stolen email content is extremely effective. Once they have swiped a victim’s email, Emotet constructs new attack messages in reply to some of that victim’s unread email messages, quoting the bodies of real messages in the threads.”
Talos blog
“It’s easy to see how someone expecting an email as part of an ongoing conversation could fall for something like this, and it is part of the reason that Emotet has been so effective at spreading itself via email. By taking over existing email conversations, and including real subject headers and email contents, the messages become that much more randomised, and more difficult for antispam systems to filter.”
Francis Gaffney, Mimecast director of threat intelligence and response, said: “Organisations should ensure that they have a trusted antivirus solution that is kept up-to-date and that users are made aware that invoicing is being specifically targeted at this time. These campaigns essentially rely on human error to do their work for them, a factor in over 90% of breaches. The more aware of current threats your employees or staff are the less likely they are to click on or activate a malicious link.”
Gaffney said that the importance of verifying the provenance of an email with a trusted contact via offline methods such as the telephone or even in person, could not be understated as a safeguard against Emotet.
He also highlighted the fact that Emotet is now utilised as a downloader for other forms of malware. “My primary concern would be that it presages a ransomware attack, particularly RYUK. There is however a significant window of opportunity here if any Emotet infection can be remedied as soon as possible once detected. This may well prevent any subsequent ransomware attack from developing, if acted upon swiftly.
“I would refer anyone concerned, or who wishes to obtain further information on this threat, to visit the National Cyber Security Centre (NCSC) website and to read their June Advisory in relation to RYUK ransomware. I would suggest it would be sensible for anyone to consider that any document received from an unverified source and that requests you “activate macros” should be ignored. This is possibly the single most common means of infection,”said Gaffney.
The Cisco Talos team concluded: “Emotet has been around for years, this re-emergence comes as no surprise. The good news is the same advice for staying protected from Emotet remains.
“This is also a good opportunity to recognise that security researchers and practitioners can never take their foot off the gas. When a threat group goes silent, it’s unlikely they’ll be gone forever. Rather, this opens up the opportunity for a threat group to return with new IoCs, tactics, techniques and procedures or new malware variants that can avoid existing detection. It’s never safe to assume a threat is gone for good.”
Read more about phishing
- Researchers at Check Point have identified a security flaw in Android-based smartphones that exposes vulnerable users to phishing attacks.
- Telefónica security service for business shows that phishing is the most-blocked threat and smaller businesses are a popular attack target in the first two months of deployment.
- Benchmarking report shows average phish-prone percentage across all industries and sizes of organisations at 29.6% – up 2.6% since 2018.