Emotet reinvigorated after Christmas break

The Emotet email trojan-turned-botnet is back in action, apparently reinvigorated after the holiday season, cyber security researchers at Proofpoint and Cisco Talos have both confirmed in the past 48 hours.

This is not the first time that the TA542 cyber criminal group behind Emotet – which is considered one of the most dangerous botnet and malware-droppers-for-hire in the world – has taken some time off. Last summer, Emotet’s activity tailed off for almost three and a half months before re-emerging in mid-September 2019, having also apparently taken intensive courses in Italian and Spanish.

Emotet works by stealing a victim’s email, then impersonating them and mailing out copies of itself, luring targets to download it from compromised websites by opening an attached or linked document in a fairly standard social engineering attack.

Infected endpoints then go on to propagate Emotet laterally onto other machines on the same network, stealing more credentials and spamming more contact lists as it goes. It can also serve as a delivery mechanism for ransomware payloads.

Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, said: “Emotet is one of the world’s most disruptive threats and organisations worldwide should take its return seriously. They have a massive sending infrastructure – nobody hits volumes like they do.

“TA542’s recent uptick in activity shows that threat actors work smarter, not harder. They took 150 days off in 2019 and even with breaks, they’re incredibly effective.

“When TA542 returned in September 2019 from a summer hiatus, they accounted for over 11% of all the malicious attachments we saw globally for the entire third quarter of that year, despite being active for only two weeks during that three-month period.”

Cisco Talos’ Jaeson Schultz, who has been monitoring its activity for some time, described Emotet as a particularly cunning foe because of the way it exploits personal and professional relationships to spread itself.

“When receiving a message from a trusted friend or colleague, it is quite natural for recipients to think, ‘I can safely open this email attachment because it is in reply to a message I sent, or from someone I know’,” he said.

“Any person or organisation that has sent an email to an Emotet victim could be targeted by Emotet’s propagation messages. The more interaction with the victim you have, the more likely you are to receive a malicious email from Emotet.

“Like a meandering watering hole attack, this is how Emotet crosses organisational boundaries with the potential to affect entire industries or even countries.”

As an example of this, Schultz said that at some point in recent weeks, Emotet has clearly successfully compromised one or more persons within the US government, as a result of which the number of infectious messages directed to the .mil and .gov top-level domains (TLDs) used by the US military and government has spiked massively.

DeGrippo confirmed large-scale Emotet volumes observed across North America in Canada, Mexico and the US, but said that as of Tuesday 14 January, volumes had also ticked up in other countries, including Australia, Germany, Italy, Japan, Singapore and Spain.

“On Monday alone, we saw nearly three-quarters of a million messages and they’re already fast approaching one million messages total,” she said. “To give this context, this isn’t the highest volume we’ve ever seen from this actor – that was over one million messages in one day. But Monday was the biggest volume since April 2019.”

DeGrippo urged CISOs to take this ramp-up of activity very seriously, and urged organisations to take all necessary steps to ensure their email traffic is secure and, critically, that end-users are awake to the dangers of clicking unsolicited links or attachments.

“Layered defences with protection at the email gateway will help prevent delivery of these messages and customised user training programmes will help potential victims recognise malicious emails,” she said.

“It is important that security teams continue to secure their email channel and educate users regarding the increased risks associated with email attachments.”

Schultz added: “If an organisation in close proximity to yours becomes infected with Emotet, you can expect to receive an increased volume of infectious email messages addressed to your users. If Emotet infects any of the users inside your domain, then the volume of Emotet email destined for your network will increase.

“Many of these email messages arrive via hijacked email threads, so there is no simple pattern that anti-spam systems can use to identify and eliminate these messages. More advanced anti-spam systems, such as IPAS, will still be able to successfully filter Emotet messages. However, all technical systems, no matter how robust, must always be supplemented by educational efforts and awareness training for your users.”