Emotet Comes Back to Life

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

Emotet, initially a banking trojan, has evolved to become a pervasive threat-delivery apparatus. Threat actors use it to infect systems with a malicious software such as information stealers, ransomware, and email harvesters.

For a period of time, Emotet’s Command and Control servers went dormant, only to come back to life with new campaigns in the second half of 2019. The following is a listing of noteworthy Emotet campaigns seen in the month of January. It is clear that this pervasive threat is starting off 2020 strong, with no intentions of slowing.

• A targeted phishing campaign against email addresses associated with users at the United Nations. The Emotet operators impersonated representatives of Norway at the United Nations in New York and stated that there was a problem with an attached signed agreement.

• A spam campaign in which Emotet operators use a template pretending to be an extortion demand from a "Hacker" who states that they hacked the recipient's computer and stole their data. The email body states "If you follow the attacked INSTRUCTIONS and transfer us $100, we will simply delete your data. Otherwise, exactly one day after sending this letter, we will sell them on the black market for $10 and your losses can be much greater. Nothing personal is just a business. Have a nice day. I hope for your cooperation".

• A malspam campaign actively distributed Emotet email payloads that warned of coronavirus infection reports in various areas of Japan, including Gifu, Osaka, and Tottori. To scare the potential victims into opening malicious attachments, the spam emails — camouflaged as official notifications from a disability welfare service provider and public health centers — promise to provide more details on preventative measures against coronavirus infections within the attachments.

In each of these campaigns, Emotet is reported from the perspective of an external attacker attempting to "kick-off" the campaign by claiming its first internal victim. However, Emotet contains a propagation mechanism that uses email to collect additional victims. Once Emotet is introduced to an organization (or to an entity that is in close proximity to an organization) the volume of infectious email messages seen inside the network grows exponentially.

Cisco Talos researchers recently performed a study looking at the relationship between message volume and domains in order to understand how quickly Emotet spreads within a domain once there is an initial infection. In the study they looked at the U.S. Military and Federal /State Government top-level domains starting in June 2019. Emotet was able to successfully compromise one or more persons working for or with the U.S. government. The result of this was a rapid increase in the number of infectious Emotet messages directed at the Military and Government domains in December 2019 with the trend continuing into January 2020.