Emotet on the rise with heavy spam campaign

guest · Aug 13, 2020

Emotet Return Brings New Tactics & Evasion Techniques
August 13, 2020
https://www.darkreading.com/attacks...tactics-and-evasion-techniques/d/d-id/1338654

The Emotet botnet recently resurfaced following five months of quiet. Now, researchers tracking the prolific threat share details about what's new and different in its latest wave — in particular, evasion detection tactics that help attackers fly under the radar of security tools.

Over the last few years, this threat has been "coming in waves," says Shimon Oren, vice president of research at Deep Instinct, where researchers have been analyzing its recent activity. "We see periods of very, very high volume of activity, both in terms of new samples that are generated and are being distributed and users, and also in terms of the targets."
In addition to hijacking existing email threads, Emotet has begun to add stolen attachments to emails in order to make them seem legitimate.
Click to expand...

Deep Instinct researchers evaluated a dataset of 38,000 samples from Emotet activity from July 17 to July 28; they divided these samples into three epochs, or botnets operating independently. They also broke the samples down into 170 templates, most of which were found in one epoch, indicating operators behind each have their own Emotet loaders.

It's important to note that Emotet's attackers know that their malware will be detected, stopping its functions, and there will be efforts to block their threat.

"The malware developer vs. malware detector battle will rage forever," Kujawa says.
"So they've doubled down on the one vulnerability they can most count on, and that is fooling users," he continues.
Click to expand...

Deep Instinct: Why Emotet’s Latest Wave is Harder to Catch than Ever Before

We reveal novel evasion techniques which assist the new wave of Emotet to avoid detection
Click to expand...

guest · Aug 14, 2020

Emotet malware strikes U.S. businesses with COVID-19 spam
August 14, 2020
https://www.bleepingcomputer.com/ne...are-strikes-us-businesses-with-covid-19-spam/

The Emotet malware has begun to spam COVID-19 related emails to U.S. businesses after not being active for most of the USA pandemic.

With Emotet's back in full swing again after awakening on July 17th, 2020, Emotet has started spewing out COVID-19 spam, and this time it's is now targeting users in the USA.
COVID-19 Emotet spam now targeting U.S. orgs
In a new spam email discovered by security researcher Fate112, Emotet has been sending out a stolen email that pretends to be from the 'California Fire Mechanics' sending a 'May COVID-19 update'.
Ultimately, Emotet will download and install other malware such as Qbot or TrickBot, which will be used to steal your data, passwords, and potentially lead to ransomware deployment.
Click to expand...

guest · Aug 15, 2020

mood said: ↑

Cryptolaemus group
Meet the white-hat group fighting Emotet, the world's most dangerous malware
February 29, 2020
https://www.zdnet.com/article/meet-...ing-emotet-the-worlds-most-dangerous-malware/
Click to expand...

For six months, security researchers have secretly distributed an Emotet vaccine across the world
August 14, 2020
https://www.zdnet.com/article/for-s...stributed-an-emotet-vaccine-across-the-world/

Believed to operate from the territories of the former Soviet States, Emotet is also one of today's most skilled malware groups, having perfected the infect-and-rent-access scheme like no other group.
Today, Emotet scares IT departments at companies all over the world and has given massive headaches to the entire cyber-security industry.
EMOTET'S SECRET BUG
One such bug came to light earlier this year, discovered by James Quinn, a malware analyst working for Binary Defense.

The fact that Quinn discovered the bug was no accident. For the past years, Quinn's primary job has been to hunt Emotet and keep an eye on its operations, but also, as a personal hobby, to raise awareness about this threat part of the Cryptolaemus group. (Read about Cryptolaemus' fascinating history of hunting Emotet here.)
Click to expand...

MEET EMOCRASH
Through trial and error and thanks to subsequent Emotet updates that refined how the new persistence mechanism worked, Quinn was able to put together a tiny PowerShell script that exploited the registry key mechanism to crash Emotet itself.
The script, cleverly named EmoCrash, effectively scanned a user's computer and generated a correct -- but malformed -- Emotet registry key.

When Quinn ran EmoCrash on computers already infected with Emotet, the script would replace the good registry key with the malformed one, and when Emotet would re-check the registry key, the malware would crash as well, preventing infected hosts from communicating with the Emotet command-and-control server.

"Two crash logs would appear with event ID 1000 and 1001, which could be used to identify endpoints with disabled and dead Emotet binaries," Quinn said.
Click to expand...

And since it's always funny when security researchers troll malware operators, Quinn also tried to obtain a CVE for Emotet's buffer overflow bug from MITRE, the organization that tracks security flaws across software programs.
Sadly, MITRE declined to assign a CVE to Emotet, which would have made it the first malware strain with its own CVE identifier.
Click to expand...

guest · Aug 21, 2020

Emotet Malware Over the Years: The History of an Active Cyber-Threat
August 21, 2020
https://heimdalsecurity.com/blog/emotet-malware-history/?web_view=true

Malware strains come and go while Internet users become more and more accustomed to online threats being dealt with swiftly by the competent authorities. But what happens when a Trojan constantly eludes everyone’s best efforts to stop it in its tracks?

In this article, I will go over the complex history of one of the longest-running cybercrime operations in recent history, Emotet. Keep reading to find out what it is, how it operates, and what it uses to take control of an entire network. And if you want to find out what you can do to protect your organization against this still active threat, stay tuned until the end.
Click to expand...

What Is Emotet Malware?
Emotet belongs to the malware strain known as banking Trojans. It primarily spreads through malspam, which are spam emails that contain malware (hence the term). These messages often contain familiar branding, mimicking the email format of well-known and trusted companies such as PayPal or DHL to convince users. [...]
Click to expand...

guest · Aug 29, 2020

TA542 Returns With Emotet: What's Different Now
August 28, 2020
https://www.darkreading.com/threat-...ith-emotet-whats-different-now/d/d-id/1338785

TA542, a threat group known for distributing Emotet malware, returned this summer following a hiatus that spanned from Feb. 7 through July 17. Now back, its email campaigns are the most rampant by message volume, which is roughly the same as it was before its break.

Proofpoint researchers watching TA542 say aside from some new techniques and incremental changes, the group has made "surprisingly minimal change" in its tactics or tooling considering the length of time it was gone.
Significant updates include the distribution of the Qbot affiliate "partner01," replacing The Trick as the primary malware payload delivered by Emotet.

Smaller changes were seen in the emails themselves, where researchers noticed a "significant volume" of thread hijacking and language localization. TA542 continues to leverage generic lures, as well as news-related bait related to COVID-19 and other topics.
Click to expand...

"Whether they iterate and change their tactics or continue in the same manner, Emotet remains a highly dangerous threat," researchers state.
Click to expand...

Proofpoint: A Comprehensive Look at Emotet’s Summer 2020 Return

guest · Aug 29, 2020

Emotet malware's new 'Red Dawn' attachment is just as dangerous
August 29, 2020
https://www.bleepingcomputer.com/ne...new-red-dawn-attachment-is-just-as-dangerous/

The Emotet botnet has begun to use a new template for their malicious attachments, and it is just as dangerous as ever.

When opened, these attachments will prompt a user to 'Enable Content' so that malicious macros will run to install the Emotet malware on a victim's computer.
To trick a user into enabling the macros, Emotet has been using a document template that tells uses that the document was created on iOS and cannot be properly viewed unless the 'Enable Content' button is clicked.

On August 25th, the botnet switched to a new template that Emotet expert Joseph Roosen has named 'Red Dawn' due to its red accent colors.
Click to expand...

guest · Sep 2, 2020

Epic Fail: Emotet malware uses fake ‘Windows 10 Mobile’ attachments
September 2, 2020
https://www.bleepingcomputer.com/ne...ware-uses-fake-windows-10-mobile-attachments/

The Emotet malware is now using malicious email attachment that pretends to be made by Windows 10 Mobile, an operating system that reached the end of life in January 2020.
Tricking a user into enabling Word macros
When a Word document with macros is opened, Microsoft Word will open it in a 'Protected View' that does not allow the macros to execute.
In a recent update to the malicious Word documents, Emotet tracking group Cryptolaemus have discovered that a new document template is being used that pretends to be created on 'Windows 10 Mobile.'

Operation did not complete successfully because the file was created on Windows 10 Mobile device.
To view and edit document click Enable Editing and then click Enable Content.
While there are people who continue to use Windows 10 Mobile today, it is not a large user base, and the chances that anyone is sending you documents from a Windows 10 Mobile device is relatively low.
Click to expand...

guest · Sep 7, 2020

France warns of Emotet attacking companies, administration
September 7, 2020
https://www.bleepingcomputer.com/ne...of-emotet-attacking-companies-administration/

The French national cyber-security agency today published an alert warning of a surge in Emotet attacks targeting the private sector and public administration entities throughout the country.

French public administration has three sub-sectors: central public administrations (APUC), local government (LUFA), and social security administrations (ASSO).
Attacks abruptly increased for several days

"For several days, ANSSI has observed the targeting of French companies and administrations by the Emotet malware," the ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information) alert bulletin reads.
"Special attention should be paid to this because Emotet is now used to deploy other malicious code that may have a strong impact on the activity of victims."
ANNSI also provides a list of recommendations organizations should follow to prevent Emotet infections and to properly react after they systems get compromised: [...]
Click to expand...

guest · Sep 22, 2020

Emotet double blunder: fake ‘Windows 10 Mobile’ and outdated messages
September 22, 2020
https://www.bleepingcomputer.com/ne...fake-windows-10-mobile-and-outdated-messages/

The Emotet botnet has switched up their malicious spamming campaign and is now heavily distributing password-protected archives to bypass email security gateways.

This campaign started on Friday with documents claiming to be created on the expired Windows 10 Mobile and continued with a large volume of messages pretending to be made on Android.
Dumb and dumber
Trying to trick users into enabling macros to see documents created on a different operating system may be a convincing stratagem but using Windows 10 Mobile (since the beginning of the month) is a blunder since the OS reached end of life in January 2020.

Microsoft says that Emotet switched the ruse on Monday and started to deliver documents claiming to be made on Android and that “Enable Content” (thus activating embedded macro code) needs to be clicked to view the document.
However convincing the messages may be, as seen in the screenshots from Microsoft, they are obsolete, mentioning dates from 2013 and 2014.
Click to expand...

Operation Zip Lock has been ongoing for weeks
While Microsoft noticed this campaign on Friday, the Cryptolaemus group of researchers fighting Emotet say that this has been happening for so many weeks that they named it Operation Zip Lock.
Emotet has used password-protected in the first half of 2019 (confirmed by Trend Micro) but Cryptolaemus says that this time the distribution is through Epoch 3 - a subgroup of the botnet with separate infrastructure.
Click to expand...

guest · Sep 29, 2020

Emotet is Having a Rough Year
September 23, 2020
https://www.vipre.com/blog/emotet-is-having-a-rough-year/

Emotet is the name of both a ransomware gang and the strain of ransomware the cybercriminals use. While Emotet remains a serious threat, their 2020 has been besmirched. They got hit with EmoCrash. Eventually Emotet recovered and went out for round two. That’s when things got weird. VIPRE was one of the first security companies to report on an unknown party trolling Emotet. Since then, more details have been uncovered. Recently Emotet made two blunders in their email scams when attempting to infect people.
EmoCrash
In February of 2020, malware researchers at Binary Defense found a bug in Emotet’s code.
After about five months, the Emotet gang was back in action.
Click to expand...

Emotehack
This was arguably the most comedic security news of 2020. An unknown individual dubbed “white knight” sabotaged Emotet’s comeback.
While it seemed to start as a simple joke it ended up effectively disrupting Emotet’s operations.
Double Blunder
Fast forward to now. It’s the end of September and Emotet is back at it again. They need a win, so they execute on a mass email scam. It’s quite clever. To bypass security software they use password-protected archives.
Unfortunately, they blundered this effort all on their own – no vigilantes required.
Click to expand...

Unfortunately, as much as these losses for Emotet may be somewhat comedic, it’s inevitable that they’ll be back with another scheme.
Click to expand...

guest · Oct 2, 2020

Emotet malware takes part in the 2020 U.S. elections
October 2, 2020
https://www.bleepingcomputer.com/news/security/emotet-malware-takes-part-in-the-2020-us-elections/

Emotet is now taking part in the United States 2020 Presidential election with a new spam campaign pretending to be from the Democratic National Convention's Team Blue initiative.

When the Emotet gang sends out spam, their main goal is to convince recipients to open the attached malicious document. This is usually done through email themes that pretend to be shipping documents, invoices, payment receipts, and voicemails.
Emotet try to capitalize on the 2020 election
Just days after the first Presidential debate, the threat actors behind Emotet are spewing out a new spam campaign that pretends to be from the DNC.

This new campaign pretends to be from the Democratic Party's 'Team Blue Take Action' initiative asking for volunteers to help Democrats get elected in the 2020 elections.
Click to expand...

According to ProofPoint, who found this new Emotet campaign, the spam emails are using the email subjects such as 'Team Blue Take Action', 'Valanters 2020', 'List of works', and 'Volunteer.'
The malicious documents are also named to coincide with the volunteer theme and include filenames such as 'Team Blue Take Action.doc', 'List of works.doc', 'Valanters 2020.doc', and 'Volunteer.doc.'
Click to expand...

Proofpoint: Emotet Makes Timely Adoption of Political and Elections Lures

However, it’s unlikely that this shift is driven by any specific political ideology. Like earlier use of COVID-19 or Greta Thunberg lure themes, TA542 is attempting to reach as many intended recipients as possible by capitalizing on a popular topic.
Click to expand...

guest · Oct 12, 2020

mood said: ↑

Emotet Return Brings New Tactics & Evasion Techniques
August 13, 2020
https://www.darkreading.com/attacks...tactics-and-evasion-techniques/d/d-id/1338654

Deep Instinct: Why Emotet’s Latest Wave is Harder to Catch than Ever Before
Click to expand...

Deep Instinct: Why Emotet’s Latest Wave is Harder to Catch than Ever Before – Part 2

Emotet appears to have reemerged more evasive than before, this time with a payload delivered from a loader that security tools aren’t equipped to handle
In the previous article, we examined the Emotet loader. We revealed how it evades detection by inserting benign code that subverts security products by obfuscating its malicious functionality. This loader contains a hidden payload that is decrypted and then executed.
This payload uses new evasion techniques that were not seen in the loader, and it has some unique indicators that will lead us to the git repository used by the developers to generate their malware.

In this blog post, the writer investigates the payload that was encrypted inside the loader, analyzes the next steps in the infection process, and discovers the techniques used to make this malware difficult to analyze.
Click to expand...

guest · Oct 17, 2020

New Emotet attacks use fake Windows Update lures
Emotet diversifies arsenal with new lures to trick users into infecting themselves
October 16, 2020
https://www.zdnet.com/article/new-emotet-attacks-use-fake-windows-update-lures/

In today's cyber-security landscape, the Emotet botnet is one of the largest sources of malspam — a term used to describe emails that deliver malware-laced file attachments.
These malspam campaigns are absolutely crucial to Emotet operators.

To prevent security firms from catching up and marking their emails as "malicious" or "spam," the Emotet group regularly changes how these emails are delivered and how the file attachments look.
Tricking users to enable editing is just as important to malware operators as the design of their email templates, their malware, or the botnet's backend infrastructure.
Click to expand...

According to an update from the Cryptolaemus group, since yesterday, these Emotet lures have been spammed in massive numbers to users located all over the world.
These boobytrapped documents are being sent from emails with spoofed identities, appearing to come from acquaintances and business partners.

Below is a list of the most popular Emotet document lures, according to a list shared with ZDNet by security researcher @ps66uk.
Click to expand...

guest · Oct 24, 2020

Emotet malware now wants you to upgrade Microsoft Word
October 24, 2020
https://www.bleepingcomputer.com/ne...ware-now-wants-you-to-upgrade-microsoft-word/

Emotet switched to a new template this week that pretends to be a Microsoft Office message stating that Microsoft Word needs to be updated to add a new feature.
New malicious document template
Emotet spam campaigns use a variety of lures to trick recipients into open an attachment, such as pretending to be invoices, shipping notices, resumes, or purchase orders, or even COVID-19 information, as shown below.
Attached to these spam emails are malicious Word (.doc) attachments or links to download one.

When opened, these attachments will prompt a user to 'Enable Content' so that malicious macros will run to install the Emotet malware on a victim's computer.
Click to expand...

To upgrade Microsoft Word, the document tells the user to click on the Enable Editing and then the Enable Content button, which will cause cause the malicious macros to execute.
These malicious macros will download and install the Emotet malware into the victim's %LocalAppData% folder, as shown below.
Click to expand...

guest · Oct 29, 2020

Emotet campaign used parked domains to deliver malware payloads
October 29, 2020
https://www.bleepingcomputer.com/ne...d-parked-domains-to-deliver-malware-payloads/

Researchers tracking malicious use of parked domains have spotted the Emotet botnet using such domains to deliver malware payloads as part of a large scale phishing campaign.

Out of 6 million newly parked domains detected as parked between March and September 2020 by Palo Alto Networks, roughly 1% started being used as part of malware or phishing campaigns.

"Often, the parking services and the advertisement networks do not have the means or willingness to filter abusive advertisers (i.e. attackers)," Palo Alto Networks.
Emotet delivery via parked domains
The attacks targeted potential victims from multiple countries around the world including the United States, the United Kingdom, France, Japan, Korea, and Italy according to researchers with Palo Alto Networks' Unit 42 threat intelligence team.
Additionally, it was used to spread Emotet payloads via phishing emails that led to credential theft and takeover of the infected devices.

"The documents attached to the phishing emails contain macro scripts that call back to the C2 servers from victims’ machines," Unit 42 explains.
Click to expand...

guest · Oct 31, 2020

Emotet malware wants to invite you to a Halloween party
October 31, 2020
https://www.bleepingcomputer.com/ne...are-wants-to-invite-you-to-a-halloween-party/

To take advantage of the trick-or-treating festivities, the Emotet malware gang is sending out spam emails that invite you to a Halloween party.
Emotet is playing a Halloween trick
The Emotet malware gang has created an email that pretends to invite you to a Halloween party to trick you into opening the malicious attachment.
Like last year, Emotet did not bother updating their template to use a Halloween orange and black color theme or make it festive by including an image of a pumpkin.

Instead, Emotet is sticking with their document template that asks users to upgrade their installed Microsoft Word version.
Click to expand...

guest · Nov 5, 2020

Emotet Attacks Continue to Soar as Botnet Spreads Globally
November 4, 2020
https://www.bankinfosecurity.com/emotet-attacks-continue-to-soar-as-botnet-spreads-globally-a-15306

The number of attacks related to Emotet continue to spike after the dangerous botnet re-emerged over the summer with a fresh phishing and spam campaign that is primarily infecting devices with a banking Trojan, according to new research from HP-Bromium.

During the third quarter of 2020, the number of Emotet infections increased 1,200% compared to the second quarter of the year, according to an analysis by HP-Bromium. After a nearly six-month hiatus, an uptick in spam and phishing emails related to the malware began in mid-July, the security researchers say (see: Emotet Botnet Returns After Months-Long Hiatus).
This increase in activity was also spotted by other researchers who note that Emotet is increasingly used to deliver a banking Trojan called QBot or QakBot to infected devices.
Click to expand...

Besides the banking Trojan, Alex Holland, senior malware analyst at HP-Bromium, notes that Emotet infections are usually the precursor to a ransomware attack.

"The typical pattern of Emotet campaigns we have seen since 2018 suggests that we are likely to see weekly spam runs until early 2021," Holland says. "The targeting of enterprises is consistent with the objectives of Emotet's operators, many of whom are keen to broker access to compromised systems to ransomware actors."
Click to expand...

guest · Nov 14, 2020

Analysing the fall 2020 Emotet Campaign
November 12, 2020
https://neurosoft.gr/analysing-the-fall-2020-emotet-campaign/

Neurosoft through its cybersecurity solution #Neutrify, in cooperation with the University of Piraeus and Athena Research Center are releasing today a white paper analyzing Emotet’s latest attack which has had a significant impact in several countries worldwide.

The paper leverages the data of a specifically crafted dataset, which contains emails, documents, executables and domains from the latest campaign. It aims to analyze the attack vector, map the infrastructure used in various stages of the campaign and perform a surface analysis of Emotet’s malicious payloads, in order to assess their potential impact. The utilized dataset consists of 3048 e-mail headers, 1968 documents, 749 executables and 1375 domains which have all been extracted from these malicious documents.
Click to expand...

(see https://www.linkedin.com/posts/neurosoft_emotet-30102020pdf-activity-6727979532613169152-YtQV, https://twitter.com/neutrify/status/1317076024035856384, https://neurosoft.gr/wp-content/uploads/2020/10/Emotet-16.10.2020.pdf).
Click to expand...

paper (PDF): https://neurosoft.gr/wp-content/uploads/2020/emotet_analysis.pdf

guest · Nov 22, 2020

Evolution of Emotet: From Banking Trojan to Malware Distributor
November 19, 2020
https://thehackernews.com/2020/11/anyrun-emotet-malware-analysis.html

Emotet is one of the most dangerous and widespread malware threats active today.
Ever since its discovery in 2014—when Emotet was a standard credential stealer and banking Trojan, the malware has evolved into a modular, polymorphic platform for distributing other kinds of computer viruses.

Usually, it is a part of a phishing attack, email spam that infects PCs with malware and spreads among other computers in the network.
The malware has changed a lot over time, and with every new version, it gets more and more threatening for victims. Let's have a closer look at how it evolved.
Click to expand...

guest · Dec 23, 2020

Emotet Returns to Hit 100K Mailboxes Per Day
December 23, 2020
https://threatpost.com/emotet-returns-100k-mailboxes/162584/

After a lull of nearly two months, the Emotet botnet has returned with updated payloads and a campaign that is hitting 100,000 targets per day.

“The Emotet botnet is one of the most prolific senders of malicious emails when it is active, but it regularly goes dormant for weeks or months at a time,” said Brad Haas, researcher at Cofense, in a Tuesday blog. “This year, one such hiatus lasted from February through mid-July, the longest break Cofense has seen in the last few years. Since then, they observed regular Emotet activity through the end of October, but nothing from that point until today.”
Click to expand...

Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, told Threatpost that the campaign this week is pretty standard fare for Emotet.
She added that the most interesting thing about the campaign is the timing.

“We typically see Emotet cease operations on December 24 through early January,” she noted. “If they continue that pattern, this recent activity would be incredibly short and unusual for them.”
Click to expand...

Malwarebytes researchers meanwhile noted that the threat actors are alternating between different phishing lures in order to social-engineer users into enabling macros – including COVID-19 themes. The researchers also observed the Emotet gang loading its payload with a fake error message.

Haas’ Cofense team observed the same activity, noting that it marks an evolution for the Emotet gang.
Click to expand...

Malwarebytes: Emotet returns just in time for Christmas
Cofense: Emotet is Back for the Holidays with Updated Tactics

After a lull of nearly two months, the Emotet botnet has returned with updated payloads. The changes are likely meant to help Emotet avoid detection both by victims and network defenders. Apart from these updates, the campaigns’ targeting, tactics and secondary payloads remain consistent with previous active periods.
Click to expand...

Log in or Sign up

Emotet on the rise with heavy spam campaign

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

Emotet on the rise with heavy spam campaign

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches