“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.
Emotet, initially a banking trojan, has evolved to become a pervasive threat-delivery apparatus. Threat actors use it to infect systems with a malicious software such as information stealers, ransomware, and email harvesters.
For a period of time, Emotet’s Command and Control servers went dormant, only to come back to life with new campaigns in the second half of 2019. The following is a listing of noteworthy Emotet campaigns seen in the month of January. It is clear that this pervasive threat is starting off 2020 strong, with no intentions of slowing.
In each of these campaigns, Emotet is reported from the perspective of an external attacker attempting to "kick-off" the campaign by claiming its first internal victim. However, Emotet contains a propagation mechanism that uses email to collect additional victims. Once Emotet is introduced to an organization (or to an entity that is in close proximity to an organization) the volume of infectious email messages seen inside the network grows exponentially.
Cisco Talos researchers recently performed a study looking at the relationship between message volume and domains in order to understand how quickly Emotet spreads within a domain once there is an initial infection. In the study they looked at the U.S. Military and Federal /State Government top-level domains starting in June 2019. Emotet was able to successfully compromise one or more persons working for or with the U.S. government. The result of this was a rapid increase in the number of infectious Emotet messages directed at the Military and Government domains in December 2019 with the trend continuing into January 2020.