The number of attacks related to Emotet continue to spike after the dangerous botnet re-emerged over the summer with a fresh phishing and spam campaign that is primarily infecting devices with a banking Trojan, according to new research from HP-Bromium, an end-point security company.
Emotet is a malware strain and a cybercrime operation. The malware, also known as Geodo and Mealybug, was first detected in 2014 and remains active, deemed one of the most prevalent threats of 2019. First versions of the Emotet malware functioned as a banking trojan aimed at stealing banking credentials from infected hosts. Throughout 2016 and 2017, Emotet operators updated the trojan and reconfigured it to work primarily as a "loader," a type of malware that gains access to a system, and then allows its operators to download additional payloads. Second-stage payloads can be any type of executable code, from Emotet's own modules to malware developed by other cybercrime gangs.
During the third quarter of 2020, the number of Emotet infections increased 1,200% compared to the second quarter of the year, according to an analysis by HP-Bromium. After a nearly six-month hiatus, an uptick in spam and phishing emails related to the malware began in mid-July 2020, the security researchers stated.
This increase in activity was also spotted by other researchers who note that Emotet is increasingly used to deliver a banking Trojan called QBot or QakBot to infected devices. This malware is primarily designed to steal banking data and credentials and is known to target the customers of several large financial institutions, including JPMorgan Chase, Citibank, Bank of America, Citizens, Capital One and Wells Fargo. It continuously evolves with variants having worm-like capabilities, able to drop additional malware, log user keystrokes, and create a backdoor to compromised machines.
Besides the banking Trojan, Alex Holland, senior malware analyst at HP-Bromium, notes that Emotet infections are usually the precursor to a ransomware attack. "The typical pattern of Emotet campaigns we have seen since 2018 suggests that we are likely to see weekly spam runs until early 2021," Holland says. "The targeting of enterprises is consistent with the objectives of Emotet's operators, many of whom are keen to broker access to compromised systems to ransomware actors."
The U.S. Cybersecurity and Infrastructure Security Agency has called Emotet one of the most dangerous malware variants currently active. Since July 2020, the malspam campaign that is spreading the Emotet botnet has been spotted in the U.S., U.K., Canada, Austria, Germany, Brazil, Italy and Spain, according to previous research by security firm Proofpoint. CISA has noted that its own intrusion detection system that monitors federal civilian networks, has detected approximately 16,000 alerts related to the Emotet since the botnet re-emerged.
The HP-Bromium research finds the Japan and Australia have sustained the most Emotet infections between July and September 2020. The report also confirms that Emotet is spreading through a social-engineering technique called thread-jacking, where the botnet operator replies to stolen email threads as a way to lure victims into opening malicious content since it appears to come from a trusted source.
The HP-Bromium report also notes that Emotet is spreading through spam or phishing emails that usually contain a malicious attached document. If opened, the file enables malicious macros that install the malware within the compromised device. Some of these documents are designed to look like invoices and purchase orders. "In one campaign, we saw hackers encrypting malicious documents with Microsoft Word's 'Encrypt with Password' feature, to slip past network security and detection tools," Holland says. "The malware, in this case, TrickBot, would only deploy if the user entered a password sent with the phishing email. Developed in 2016, TrickBot is one of the more recent banking Trojans, with many of its original features inspired by Dyreza (another banking Trojan).This meant that most anti-virus tools weren't able to access the file to scan it, but we were able to watch it in the micro-virtual machine. It may sound like a relatively simple tactic, but it's one that has proven to be effective in bypassing detection."
During the first days of November 2020, Bradley Duncan, a threat researcher, posted a blog on the SANS Technology Institute website that found that not only will Emotet infect a device with the Qakbot Trojan, but that Qakbot will then turn around and attempt to spread another Emotet infection, which helps grow the size of the botnet. "In order to become infected, a victim must open the Word document and enable macros. In most cases, people would see a warning against enabling macros. Just opening the Word document by itself should not kick off the infection chain, unless the computer was set up to have macros automatically enabled," Duncan notes. "Although Emotet pushes other families of malware like Qakbot, this is the first time I've seen indications that Qakbot has pushed Emotet."
The HP-Bromium research recommends that best defense against Emotet is implementing an email content filtering policy to reduce the risk of compromise by encrypted attachments containing the malware. The report also suggests organizations implement DMARC, safe list attachments based on file types the organization would expect to receive and block encrypted attachments.
The installation, updating and monitoring of firewalls, cyber security, use of multi-factor authentication and proper employee training are keys to success. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.
Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports. There are extensive reports on many of the threats mentioned in this article that can be found at https://redskyalliance.org. There is no charge for these reports and articles posted.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or email@example.com.
Weekly Cyber Intelligence Briefings: