The news last month that Emotet had been disrupted would have been welcomed by those who have fallen victim to the malware. Having first surfaced in 2014 as a banking Trojan and now a botnet of infected systems, Emotet is estimated to have caused more than $2 billion in losses globally according to Ukrainian law enforcement.
We observed a noticeable increase in Emotet activity in the past few months on our client networks, as it manifested itself in spam email campaigns against public and private sector organisations and critical infrastructure.
We analysed 525 emails across 14 organisations that had received suspicious emails in December 2020 and January 2021. Although the majority of these emails were detected and quarantined by the respective mail gateways, they raised immediate concern because of their apparent targeted nature. It was Emotet.
This article looks at some of the indicators of compromise and ways to prevent or mitigate the impact of such malware, at a high level.
Emotet is highly automated and will target anyone. The majority of emails we reviewed had the same format, the attacker would change the display name to a known contact of the recipient organisation. This increases the success rate as recipients commonly rely on the display name, rather than checking the actual email address. We found that all emails were being sent from a variety of registered addresses on valid, compromised domains and via known spam forwarders.
A common trace or fingerprint throughout was a pasted header at the top of each email body, where the attacker would paste in the name and email address of the victim’s account:
BEGIN SAMPLE //
// END SAMPLE
94% of the emails hijacked legitimate conversations and threads, whereby users included in the original email exchanges were then targeted – either by having their name and address spoofed or being sent phishing emails directly. The spam was not limited to emails written in English either, we observed other languages being utilised where the malware targeted organisations across Europe.
All of the emails contained the same payload in the form of malicious attachments. These were either a Microsoft Office .doc file, or a compressed .doc file in a password encrypted zip. The passwords were provided in the email body.
6point6 ran dynamic malware analysis against the files which confirmed ties to Emotet. All files contained macros that attempted to make network connections to known Emotet botnet infrastructure, within Epoch 2.
The behaviour of Emotet has been well documented, but this writeup from Unit 42 does an excellent job at examining the infection network traffic.
There are a number of measures your organisation can take in preventing Emotet and similar malware variants from infiltrating your networks. We recommend the following at a minimum, most of which are covered by Cyber Essentials Plus:
If any of your systems have been affected you will need to take the following steps to mitigate the risk:
Are you worried about your security posture? Let’s start the conversation to protect your business.
Written by Carl Jordan, Senior Consultant