Emotet Ends Hiatus with New Spam Campaigns

The threat actors operating the Emotet malware broke its nearly four-month hiatus by launching a spate of malicious spam emails targeting German-, Italian-, Polish-, and English-speaking users.

This wave of Emotet-related spam emails and its related malicious components are proactively blocked by Trend Micro’s machine learning detection capabilities built into Trend Micro solutions. Emotet-related documents embedded with malicious macro are detected as Downloader.VBA.TRX.XXVBAF01FF005 and the loaders as Troj.Win32.TRX.XXPE50FFF031. Samples of Emotet are detected as TrojanSpy.Win32.EMOTET.SMCRS. Heuristic and sandbox detections via the Trend Micro™ Deep Discovery™ solution are HEUR_VBA.O2 and VAN_WORM.UMXX, respectively. Trend Micro’s behavior monitoring technology effectively blocks malicious PowerShell scripts embedded in the macros and prevents Emotet from being executed.

Here’s an overview of this threat and what organizations and users can do to defend against it.

[Trend Micro Research: Prevalence of Emotet in the North American Region]

Why did Emotet shut down?

It’s unclear why Emotet’s operators shut down their operations, although botnets going dark aren’t new. For example, Dridex and Ramnit’s operators are known to slow down their activities during holidays, especially during December and January. Other hacking groups use the hiatus to update their infrastructures, like their command-and-control (C&C) servers.

Researchers have noticed that Emotet’s C&C servers resumed their activities as early as late August, but they were not sending spam emails at the time. Security researcher Raashid Bhat saw Emotet's infrastructures starting to send out spam emails on September 16.

[Technical Analysis: Emotet’s Evasion Techniques]

Is Emotet the same as Trickbot?

No, they are different threats. Trickbot, however, is known to be one of Emotet’s many payloads, so their campaigns could overlap. In fact, a malware campaign that targeted companies in the U.S. and Europe last April used a combination of Emotet, Trickbot, and Ryuk to steal credentials and then encrypt files in the affected system.

Like Trickbot, Emotet started off as a banking trojan before transitioning into a modular downloader trojan and botnet malware that it is now known for.

[READ: Emotet’s Modular and Multilayered Operating Mechanisms]

How can Emotet get into the system?

The spam emails contain malicious URLs and are attached with Microsoft Word documents embedded with macro that, when enabled, invokes and launches a PowerShell script that accordingly downloads the Emotet malware from compromised websites. These sites, according to Malwarebytes, were mostly running on the WordPress content management system (CMS). Alternatively, some documents use downloader scripts to retrieve the Emotet malware.

[Trend Micro Midyear Security Roundup: How Messaging- and Spam-Related Threats are Diversifying]

What happens once the system has been infected with Emotet?

Emotet steals the passwords of applications installed in the infected system, and sends spam emails to its list of contacts. It will also move laterally to infect other systems connected to the network. Perhaps the more significant risk is Emotet’s capability — as a downloader trojan — to execute other payloads.

The malware’s operators are also known for spoofing and hijacking existing or ongoing email threads, embedding malicious URLs or Emotet-laden attachments.

[InfoSec Guide: Mitigating Email Threats]

What other security risks does Emotet pose?

Emotet also adds the infected system into a botnet, comprising other zombified machines that are then used to distribute more spam emails. Emotet’s operators are also known for selling their botnet as a service and partnering with other cybercriminals and threat actors, enabling the malware to deploy payloads — from ransomware families like Ryuk, Nozelesn, and BitPaymer and information stealers like Ursnif and Dridex, to name a few.

In terms of financial impact, the Cybersecurity and Infrastructure Security Agency (CISA) reported in 2018 that an Emotet-related incident can cost up to US$1 million to remediate.

[Security 101: Fileless Threats that Abuse PowerShell]

What can organizations and users do to defend against Emotet?

Here are some of the best practices businesses and users can adopt to protect against Emotet and other threats that may come with it:

Regularly patch and update (or use virtual patching ). Emotet is a modular downloader malware capable of delivering other kinds of threats that could exploit vulnerabilities. Updating and patching system, network, and server software can remove these vulnerabilities.

Emotet is a modular downloader malware capable of delivering other kinds of threats that could exploit vulnerabilities. Updating and patching system, network, and server software can remove these vulnerabilities. Secure the email gateway. Emotet’s main attack vector is spam email, which rely on social engineering to be successful. Practicing cybersecurity hygiene — both in the workplace and at home — such as identifying red flags in phishing emails, helps just as much as deploying security solutions.

Emotet’s main attack vector is spam email, which rely on social engineering to be successful. Practicing cybersecurity hygiene — both in the workplace and at home — such as identifying red flags in phishing emails, helps just as much as deploying security solutions. Enforce the principle of least privilege. Emotet abuses legitimate tools such as PowerShell as part of its attack chain. Disabling, restricting, or securing its use can significantly deter the threat from abusing them.

Emotet abuses legitimate tools such as PowerShell as part of its attack chain. Disabling, restricting, or securing its use can significantly deter the threat from abusing them. Proactively monitor the organization’s online infrastructures. For organizations, a multilayered approach can help defend against Emotet. Firewalls and intrusion detection and prevention systems help detect and block suspicious traffic or malicious network activities. Application control and behavior monitoring prevent anomalous executables and malware-related routines from running, while URL filtering helps block malicious URLs and websites that may be hosting malware.

Trend Micro endpoint solutions such as the Smart Protection Suites and Worry-Free Business Security solutions, which have behavior monitoring capabilities, can protect users and businesses from threats like Emotet by detecting malicious files, scripts, and messages as well as blocking all related malicious URLs. Trend Micro Apex One™ protection employs a variety of threat detection capabilities, notably behavioral analysis, which protect against malicious scripts, injection, ransomware, memory and browser attacks. The Trend Micro™ Deep Discovery™ solution has a layer for email inspection that can protect enterprises by detecting malicious attachments and URLs. It can detect remote scripts even if they are not being downloaded on the physical endpoints. The Trend Micro™ Deep Discovery Inspector solution protects customers from Emotet via this DDI rule: 2897: EMOTET - HTTP (Request) - Variant 4

Updated as of September 18, 2019, 6:45 p.m. PDT to include additional Trend Micro detection/solution.