Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/3/2019
06:05 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Emotet Malware Gets More Aggressive

Emotet's operators have been adding new capabilities, making the malware now even more dangerous to its enterprise targets.

Emotet, a nasty botnet and popular malware family, has proven increasingly dangerous over the past year as its operators adopt new tactics. Now armed with the ability to drop additional payloads and arriving via business email compromise (BEC), it's become a major threat to organizations.

Security watchers are wary of Emotet, which was among the first botnets to spread banking Trojans laterally within target organizations, making removal difficult. Emotet first appeared in 2014 as a Trojan designed to snatch banking credentials and other sensitive data. The threat was frequently spread via phishing emails packed with malicious documents or links.

Over time, Emotet's operators - a group called Mealybug - have evolved its business model and the shape of their attack from a banking Trojan to a means of delivering other groups' threats. In 2018, Webroot dubbed Emotet the year's worst botnet seen distributing banking Trojans.

"Its information stealing payloads are delivered at an impressive pace, suggesting threat actors have automated multiple steps in their campaign operations," Webroot researchers write in a blog post on their rankings of 2018's worst threats. The changes to Emotet, while gradual at first, quickly ramped up in recent years as attackers switched to even more nefarious tactics.

After a quiet period in 2015, Emotet detections spiked in the second half of 2017, Symantec reported. Mealybug's victims expanded that year to include targets in Canada, China, Mexico, and the UK. Toward the end of 2017, the Cylance Threat Research Team analyzed a malicious Microsoft Word file with a malicious macro program created to download Emotet malware.

Taking on New Threats

In 2018, Mealybug ramped up its activity to the point where it was selling malware to other actors, says Sig Murphy, managing director of incident response and forensics at Cylance. Emotet was combined with Trickbot and Qakbot, a tactic Symantec also had detected in Feb. 2018. The blend of Emotet with other strains of ransomware made the threat more dangerous.

"The combination there is really hard to defend against properly because the loader is polymorphic," says Murphy. "It changes every time it infects a computer."

US-CERT issued an alert for Emotet in July 2018, calling it an advanced modular banking Trojan that mainly functions as a downloader or dropper of other banking Trojans. Emotet is "the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors," it says, costing governments up to $1M per incident.

This hybrid threat model "is a unique challenge" to organizations, Murphy says, and catches many off guard. Emotet alone used to drop its own Emotet-branded malware. Later in the year, it was used to deliver new types of threats. Before, it would collect email credentials and use them to spread laterally. It later became interested in the content of targeted emails, he adds.

"It's pretty clear they're trying to pivot into [the] BEC attack model, which is different from what they've done in the past," says Murphy of the Mealybug threat group's evolving strategies. In August 2018, Trend Micro pick up on Spoofed banking emails arriving with Emotet malware. For example, spam emails contain payment notifications from spoofed bank email addresses. The email's body has a link to download a .doc file, which contains macros that, when run, activate a PowerShell command that downloads and runs the Emotet malware, researchers explain. 

After ramping up in early 2018, Murphy says Emotet increased again during the holiday season. Through the start of 2019, the malware continued to spread, and new enterprise clients were asking Cylance for help after getting infected, he says. Its growth signifies greater maturity among the Mealybug actors as they learn what's effective.

"They seem much more organized than a lot of other groups," Murphy explains. "The shift [to BEC] says they're continuing to be more organized … they know what's working and what's not." New ransomware variants like Qakbot provide a new source of income, he adds.

Thinking Ahead of the Attackers

It's hard to tell what Mealybug will do next. One route they could take, says Murphy, is attempt to make their attacks quieter. While he has no indication they might do this, he points out how Emotet in its current form is "very noisy" in its spread. If they could change the threat so it spreads without taking down systems, it would be harder to know a business is at risk.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
0%
100%
REISEN1955,
User Rank: Ninja
1/9/2019 | 7:10:42 AM
For a bit of humor
Which we all need from time to time.  Doesn't Emotet sounds like somebody buried in the Valley of the Kings in Egypt?
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4230
PUBLISHED: 2020-02-19
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.1 and 11.5 is vulnerable to an escalation of privilege when an authenticated local attacker with special permissions executes specially crafted Db2 commands. IBM X-Force ID: 175212.
CVE-2019-4429
PUBLISHED: 2020-02-19
IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 162886.
CVE-2019-4457
PUBLISHED: 2020-02-19
IBM Jazz Foundation 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, and 6.0.6.1 could allow an authenticated user to obtain sensitive information that could be used in further attacks against the system. IBM X-Force ID: 163654.
CVE-2019-4640
PUBLISHED: 2020-02-19
IBM Security Secret Server 10.7 processes patches, image backups and other updates without sufficiently verifying the origin and integrity of the code which could result in an attacker executing malicious code. IBM X-Force ID: 170046.
CVE-2020-4135
PUBLISHED: 2020-02-19
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow an unauthenticated user to send specially crafted packets to cause a denial of service from excessive memory usage.