The ever-changing malware is jumping in the middle of people’s existing email conversations to spread itself without suspicion.
Emotet, the banking trojan that has evolved into so much more, is back after a summer hiatus, dropping other banking trojans, information stealers, email harvesters, self-propagation mechanisms and ransomware.
According to researchers at Cisco Talos, Emotet took a breather at the beginning of June 2019, with its command-and-control (C2) activities dwindling to almost nothing. But as of mid-September, Emotet has resumed spamming operations once again.
A separate analysis from Malwarebytes meanwhile showed additional activity spiking this week, with Emotet serving as a delivery vector for more dangerous payloads, such as TrickBot and other ransomware families.
“Emotet is most notorious for collateral damage inflicted as part of a blended attack,” Malwarebytes said in a posting on Wednesday. “Dubbed the triple threat by many in security, Emotet partners with TrickBot and Ryuk ransomware for a knockout combo that ensures maximum penetration through the network so that valuable data may be stolen and sold for profit, while the rest is encrypted in order to extort organizations into paying the ransom to retrieve their files and systems.”
The resurgence also continues one of Emotet’s most devious email-based self-propagation methods, according to Cisco Talos researchers Colin Grady, William Largent and Jaeson Schultz. The trojan accesses old email messages in a victim’s inbox and replies to them, thus jumping into the middle of an existing email conversation. Purporting to be a legitimate correspondent, it sends along a malicious attachment.
“Emotet’s reuse of stolen email content is extremely effective,” they said in a recent blog post. “Once they have swiped a victim’s email, Emotet constructs new attack messages in reply to some of that victim’s unread email messages, quoting the bodies of real messages in the threads. It’s easy to see how someone expecting an email as part of an ongoing conversation could fall for something like this.”
Emotet was seen in Cisco Talos telemetry as using stolen email conversations only approximately 8.5 percent of the time before its summer hiatus; since then, the researchers said there’s been an uptick in the tactic to account for almost a quarter of all of Emotet’s outbound emails.
What’s interesting is that the messages aren’t always sent using the victim’s own Emotet-infected computer; many times, the messages are sent from an Emotet infection in a completely different location, utilizing a completely unrelated outbound SMTP server.
“It turns out that in addition to stealing the contents of victims’ inboxes, Emotet also swipes victims’ credentials for sending outbound email,” the researchers explained. “Emotet then distributes these stolen email credentials to other bots in its network, who then utilize these stolen credentials to transmit Emotet attack messages.”
In the past 10 months, Cisco Talos telemetry shows Emotet lifting 202,675 unique username and password combinations for email.
Meanwhile, the Malwarbytes threat intelligence team saw the aforementioned new active spam distribution campaign starting in the wee hours of Monday morning, with templates spotted in German, Polish, and Italian. The team then started seeing phishing emails sent in English as well, with the subject line “Payment Remittance Advice.”
In this campaign, once Emotet is installed on the endpoint, it begins propagating by spreading laterally to other endpoints in the network and beyond. It also steals credentials from installed applications and spams the user’s contact list.
To protect against Emotet, user should employ strong passwords and opt in to multi-factor authentication; they should also be wary of emails that seem to be unexpected replies to old threads, emails that seem suspiciously out of context, or those messages that come from familiar names but unfamiliar email addresses.
“When a threat group goes silent, it’s unlikely they’ll be gone forever,” said Cisco Talos researchers. “Rather, this opens up the opportunity for a threat group to return with new IOCs, tactics, techniques and procedures or new malware variants that can avoid existing detection. Just as we saw earlier this year with the alleged breakup of the threat actors behind Gandcrab, it’s never safe to assume a threat is gone for good.”