In 2014, Emotet was first discovered as a “simple” banking trojan intended to steal financial data. Since it has developed over time into a botnet and incorporated modularity, such as the ability to distribute ransomware using worm-like functionality, therefore, it has been described by the US Department of Homeland Security as “one of the most expensive and disruptive malware impacting federal, provincial, national, and territorial governments, and the private and public sectors.”
Since 2014, the Emotet banking trojan has been involved, and the botnet is controlled by a threat actor identified as TA542. After a five-month of non-appearance, Emotet resurfaced in July 2020. Since then, many of the phishing operations have used an “Email Thread Hijacking” tactics.
Cybersecurity authorities across Asia and Europe are advising about Emotet’s spam operations in France, Japan, and New Zealand targeting firms. Emotet malware is also used to distribute other malicious code like Trojan Trickbot and QBot, or ransomware like Conti (TrickBot) or ProLock (QBot).
How it functions
Once a target entity’s employee’s email address (or the entity’s own default email inbox) has been hacked, the malicious Emotet code exfiltrates the content of its email.
Based on these, the attackers create phishing emails in the form of a response to a series of shared emails between the employee and the entity’s partners with whom he/she works. Then, the phishing text’s actual subject precedes one or more “Re:” and the text itself includes the background of a chat or even legal attachments.
These legal emails are sent to the contacts of the victim, and more specifically, to the entity’s third parties (clients and service providers) who took part in the initial conversation thread, to improve their reputation with the recipients.
In addition to this strategy, TA542 also builds phishing emails based on information obtained during the mailbox hack. It sends to exfiltrated contact lists, or, more precisely, spoofs the individual profile that were previous victims. Emotet or not (carriers, telephone providers, or financial institutions).
In any case, it appears that the infected mailboxes are not used to deliver phishing emails, rather than phishing emails that are sent from the attackers’ servers based on typo squatted sender email addresses.
The French national cyber-security agency released an alert warning about a major rise in attacks by Emotet targeting private sector and public administration institutions in France.
The Computer Emergency Response Team of New Zealand (CERT NZ) has released a security notice warning about spam campaigns distributing the Emotet threat.
How is it spreading?
JPCERT / CC has reported a sharp rise in the number of domestic domain (.jp) email addresses that can be compromised with the Emotet malware and used to send spam emails seeking to spread the infection since September 2020. Furthermore, the number of consultations concerning Emotet infections is growing, and we understand the condition in which Emotet infections propagate.
“On 25 August the botnet changed to a new template called ‘Red Dawn’ by Emotet expert Joseph Roosen because of its red accent colours,” reported Bleeping Computer.
The Red Dawn template shows the message “This document is safe” and tells users that the preview option is not accessible and tries to manipulate him/her to click on ‘Allow Editing’ and ‘Enable Information’ to access the data.
Current spam campaigns have used messages with or links to malicious word documents, claiming to be invoices, shipment records, COVID-19 records, resumes, financial, or scanned documents.
The latest edition of Emotet is distributed via automated social engineering techniques, mostly through email. Emotet hijacks and incorporates malicious email into legitimate email threads to look more secure to the user. It’s not uncommon for email threads to shift subjects
abruptly, and Emotet uses the human propensity to go on tangents to move the subject into something else, maybe an update to a pending invoice.
As malicious macros distribute Emotet by documents, you must disable macros in MS Office. Allow only macros that are signed digitally or from trustworthy locations and ensure that your anti-virus program is working and updated on your endpoint machine.