Emotet Returns With Old Tricks, Malware Partners

July 28, 2020 @ 5:20 AM
| |
3 min read

A malspam campaign involving Emotet saw a resurgence after five months of laying low, Malwarebytes detected on Friday, July 17. This operation used the well-known method of sending attack emails as a reply within an existing email thread. From there, the emails invited the recipient to open an attachment. Named “Form – Jul 17, 2020.doc,” the attachment opened a Microsoft Word document that informed the user of the need to enable content.

If they agreed to do so, the user inadvertently enabled a heavily-obfuscated macro embedded within the document. That macro then proceeded to call Windows Management Instrumentation (WMI), which in turn launched PowerShell. As its final phase, the campaign used PowerShell to iterate through a list of compromised remote websites. Once it identified one that was responding, the operation pulled down an Emotet payload and installed it on the victim’s machine. Then, the malware sent confirmation back to one of its command-and-control (C&C) servers.

Restoring the “Real Damage” of an Emotet Attack

Malwarebytes notes the real damage from an Emotet infection comes from the threat group’s alliances with other malware actors. In particular, it opens machines up to actors responsible for families that are capable of dropping ransomware onto an infected computer. The actors responsible for coordinating Emotet’s attacks are aware of this point.

Just three days after Malwarebytes spotted this malspam campaign, a security researcher told Bleeping Computer that they had spotted Emotet distributing TrickBot, a trojan which has a history of distributing ransomware such as Conti and Ryuk. Just a day later, Bleeping Computer learned the Emotet gang had begun distributing QakBot across all three branches of the botnet’s infrastructure. QakBot is another preferred partner of Emotet that has in some instances loaded ProLock ransomware onto infected machines.

Emotet: Threat Activity Before Its Five-Month Pause

The threat activity described above marks the return of Emotet after nearly a five-month pause. It did not enter into that break with a whimper, however. 

Threat actors used Emotet in multiple attack campaigns before its hiatus. At the beginning of February 2020, IBM X-Force discovered an operation in which attackers had employed coronavirus 2019 as a lure in malspam emails to deliver Emotet via weaponized Word documents. Two weeks later, IBM researchers disclosed a SMiShing campaign in which attackers impersonating well-known banks sent text messages from what appeared to be local U.S. numbers. They used that cover to trick recipients into clicking on a link that redirected them to domains hosting Emotet.

These two attack campaigns, not to mention the use of brute-forcing attacks on local WiFi networks, played a large part in Check Point Research’s decision to name Emotet as the second most-popular malware in February 2020. It came behind Mirai, a threat which at the time was targeting internet of things (IoT) devices with a new vulnerability. It did so as a means of building its botnet and conducting distributed denial-of-service (DDoS) attacks.

How to Defend Against Emotet

Security professionals can help their organizations defend against an Emotet infection first and foremost by investing in a security awareness training program. As part of this education initiative, infosec personnel should regularly test their employees with phishing simulations. Emotet has a history of using email attacks to enter organizations. Therefore, by educating their employees about such campaigns, security professionals will be able to reduce the likelihood of an attack email entering into the organization.

Next, they need to realize that some attack emails will get through employees’ defenses. Therefore, they need to set up some technical controls designed to monitor the network for signs of malicious macros, a common delivery vector for Emotet. They can do this by implementing proper logging, reviewing logs for suspicious activity and performing endpoint scans.

Last but not least, infosec personnel need to stay on top of the latest attack campaigns, partnerships and tactics employed by malware actors such as those responsible for Emotet. The best way they can do this is by using threat intelligence services to prepare themselves against these new developments.

David Bisson
Contributing Editor

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Trip...
read more