Wednesday, Sep 18, 2019
BY: Team Nuspire
If you had a chance to read our quarterly threat landscape report, you might have noticed that our data showed Emotet activity significantly decreasing. However, our researchers predicted that it would resurface with new tactics. Sure enough, they were right.
In our recent webinar, one of our security analysts, Shawn Pope, discusses Emotet and his predictions for its impact on return.
“That’s what’s gonna happen. We’re going to see these massive campaigns on our e-mail solution that we have. We’ll see pages worth; everything we’ll have the same subject line it’ll be from all different types of emails. At the end of the day they’re trying to get something out to everybody and that’s when we go back to that fire forget like they’re just blasting us out to any email they have. If they get one or two people you know it’s successful in their eyes. So definitely, like I said Emotet, it is going to be on its way back to banking malware.”
“So if you get infected by this what it’s trying to do is look for it’s going to look through your web browsing your different browsers and look for maybe bookmarks to your banking or something like that and then it can try to harvest credentials, ultimately infiltrate that data and from there that’s financial also you may be having to be identity theft know they might sell it on the black market for three dollars I don’t know but they’re looking to get it.”
Shortly after our webinar, our security analytics team detected more Emotet activity. According to our Security Analytics Team, Emotet has reappeared and resumed its business of sending infected spam email around the world. Considered one of today’s most dangerous malware botnets, Emotet had been dormant for the past four months. On September 16th the spam emails continued in the UK, Italy, Poland, Germany and the US and even though the C2 servers had come online August 22nd, it is believed the Emotet operator spent the last few weeks preparing the botnet for operations on the 16th.
It has been confirmed that Emotet’s payload was Trickbot, a banking/malware loader that was a secondary infection dropped by Emotet. The email disguised itself as a financial theme and appeared to come as a reply to a previous conversation. Once opened, the malicious document requires users to enable content, and enable macros in order to run the embedded code. This targeted almost 66,000 emails for more than 30,000 domains from over 385 unique top-level domains. These spam emails originated from 3,362 senders whose credentials had been stolen.
Be on the lookout for this type of spam email campaign, in addition to the email disguising as a reply to an existing thread, they also attempt to trick users into enabling macros via a fake warning that their Microsoft Word software won’t work beyond September 20th, a genuine Microsoft logo is added to the email body as well.