The dangerous and highly adaptable Emotet malware has resurfaced after a short hiatus and the new spam campaigns that have cropped up this week are employing clever social engineering and tactics that allow the malware to evade many defensive technologies.
Emotet has been in circulation for more than five years and began its life as a typical banking trojan, stealing credentials for financial sites from infected computers. The main method Emotet’s operators used to accomplish this was injecting malicious code into running processes, and it has been quite successful over the years. Emotet spreads mostly through malicious spam messages, many of which have subject lines and sender addresses that make them appear to be from legitimate companies such as PayPal, Microsoft, and others. The messages typically include an attachment, often a Word document, that contains the malware.
The most recent spam run from the Emotet operators, which began Sept. 16, is using two interesting techniques that help bolster the malware’s successful infection rate and continue its propagation. One of the things the malware does after infecting a new machine is to scoop up the contents of the email inbox. It then uses the contents of legitimate messages in the victim’s inbox to build a new email that appears to be part of an existing thread, attaches the malicious document to it, and sends it to the victim. The technique boosts the legitimacy of the infected message in the eyes of the victim and makes it much more likely that the victim will open the email and the attachment.
“It's easy to see how someone expecting an email as part of an ongoing conversation could fall for something like this, and it is part of the reason that Emotet has been so effective at spreading itself via email. By taking over existing email conversations, and including real Subject headers and email contents, the messages become that much more randomized, and more difficult for anti-spam systems to filter,” Colin Grady, William Largent, and Jaeson Schultz of Cisco’s Talos Intelligence Group wrote in an analysis of the new Emotet campaign.
This technique has helped Emotet slip past many antispam and antimalware systems and find its way into the inboxes of victims. Spam and malware detection systems have become quite effective at catching the vast majority of junk and malicious messages, so people tend to place a fair amount of trust in the messages that do make it their inboxes.
“Emotet's recent campaign didn't manage to evade spam traps entirely though, because some of the harvested emails were spam themselves; possibly with forged senders. Some of the emails we saw in our tests were such replies which, amusingly, included emails with an 'updated document' in response to dating spam,” Martijn Grooten of Virus Bulletin wrote in an analysis of the recent campaign.
“Even so, we noted that many products in our test lab failed to recognise the emails as either spam or malicious. This is part of a worrying trend we have seen for a while, with malicious spam campaigns having much higher delivery rates than regular spam, sometimes as much as ten per cent of the emails piercing through the first defence layer.”
Ninety-two percent of the credentials stolen by Emotet disappeared within one week.
In addition to the inclusion of manufactured email content, Emotet also has been seen using stolen email credentials to help turn infected machines into nodes in its spam botnet. Once it infects a new computer, Emotet will harvest the victim’s email username, password, and outbound mail server information and then use that information to send spam from the account. To feed that spam machine, Emotet’s operators use the hundreds of thousands of previously stolen credential sets in their database. Talos researchers looked at the credentials used in this operation and found that while many of them have quite a short useful lifespan, a small fraction are used for months at a time.
“Over the past 10 months, Cisco Talos collected 349,636 unique username/password/IP combos. Of course, many larger networks deploy multiple mail server IP addresses, and in the data we saw a fair amount of repeat usernames and passwords using different, but related mail server IPs. Eliminating the server IP data, and looking strictly at usernames and passwords, Talos found 202,675 unique username-password combinations,” the Talos researchers said.
“Since Talos was observing infections over a monthslong timeframe, we were able to make an assessment regarding the average lifespan of the credentials we saw Emotet distributing. In all, the average lifespan of a single set of stolen outbound email credentials was 6.91 days. However, when we looked more closely at the distribution, 75 percent of the credentials stolen and used by Emotet lasted under one day. Ninety-two percent of the credentials stolen by Emotet disappeared within one week. The remaining 8 percent of Emotet's outbound email infrastructure had a much longer lifespan.”
This newest campaign surfaced after several months of inactivity from the Emotet operators. It’s not clear why the operators took a break, but now that they have ramped up their activity again it’s a good opportunity for enterprise defenders to remind users to be wary of unexpected emails, and warn against password reuse across multiple accounts.