[BreachExchange] Emotet Malware Gets More Aggressive

Destry Winant destry at riskbasedsecurity.com
Mon Jan 7 00:15:31 EST 2019


https://www.darkreading.com/attacks-breaches/emotet-malware-gets-more-aggressive-/d/d-id/1333584

Emotet's operators have been adding new capabilities, making the
malware now even more dangerous to its enterprise targets.

Emotet, a nasty botnet and popular malware family, has proven
increasingly dangerous over the past year as its operators adopt new
tactics. Now armed with the ability to drop additional payloads and
arriving via business email compromise (BEC), it's become a major
threat to organizations.

Security watchers are wary of Emotet, which was among the first
botnets to spread banking Trojans laterally within target
organizations, making removal difficult. Emotet first appeared in 2014
as a Trojan designed to snatch banking credentials and other sensitive
data. The threat was frequently spread via phishing emails packed with
malicious documents or links.

Over time, Emotet's operators - a group called Mealybug - have evolved
its business model and the shape of their attack from a banking Trojan
to a means of delivering other groups' threats. In 2018, Webroot
dubbed Emotet the year's worst botnet seen distributing banking
Trojans.

"Its information stealing payloads are delivered at an impressive
pace, suggesting threat actors have automated multiple steps in their
campaign operations," Webroot researchers write in a blog post on
their rankings of 2018's worst threats. The changes to Emotet, while
gradual at first, quickly ramped up in recent years as attackers
switched to even more nefarious tactics.

After a quiet period in 2015, Emotet detections spiked in the second
half of 2017, Symantec reported. Mealybug's victims expanded that year
to include targets in Canada, China, Mexico, and the UK. Toward the
end of 2017, the Cylance Threat Research Team analyzed a malicious
Microsoft Word file with a malicious macro program created to download
Emotet malware.

Taking on New Threats

In 2018, Mealybug ramped up its activity to the point where it was
selling malware to other actors, says Sig Murphy, managing director of
incident response and forensics at Cylance. Emotet was combined with
Trickbot and Qakbot, a tactic Symantec also had detected in Feb. 2018.
The blend of Emotet with other strains of ransomware made the threat
more dangerous.

"The combination there is really hard to defend against properly
because the loader is polymorphic," says Murphy. "It changes every
time it infects a computer."

US-CERT issued an alert for Emotet in July 2018, calling it an
advanced modular banking Trojan that mainly functions as a downloader
or dropper of other banking Trojans. Emotet is "the most costly and
destructive malware affecting state, local, tribal, and territorial
(SLTT) governments, and the private and public sectors," it says,
costing governments up to $1M per incident.

This hybrid threat model "is a unique challenge" to organizations,
Murphy says, and catches many off guard. Emotet alone used to drop its
own Emotet-branded malware. Later in the year, it was used to deliver
new types of threats. Before, it would collect email credentials and
use them to spread laterally. It later became interested in the
content of targeted emails, he adds.

"It's pretty clear they're trying to pivot into [the] BEC attack
model, which is different from what they've done in the past," says
Murphy of the Mealybug threat group's evolving strategies. In August
2018, Trend Micro pick up on Spoofed banking emails arriving with
Emotet malware. For example, spam emails contain payment notifications
from spoofed bank email addresses. The email's body has a link to
download a .doc file, which contains macros that, when run, activate a
PowerShell command that downloads and runs the Emotet malware,
researchers explain.

After ramping up in early 2018, Murphy says Emotet increased again
during the holiday season. Through the start of 2019, the malware
continued to spread, and new enterprise clients were asking Cylance
for help after getting infected, he says. Its growth signifies greater
maturity among the Mealybug actors as they learn what's effective.

"They seem much more organized than a lot of other groups," Murphy
explains. "The shift [to BEC] says they're continuing to be more
organized … they know what's working and what's not." New ransomware
variants like Qakbot provide a new source of income, he adds.

Thinking Ahead of the Attackers

It's hard to tell what Mealybug will do next. One route they could
take, says Murphy, is attempt to make their attacks quieter. While he
has no indication they might do this, he points out how Emotet in its
current form is "very noisy" in its spread. If they could change the
threat so it spreads without taking down systems, it would be harder
to know a business is at risk.


More information about the BreachExchange mailing list