A recent wave of activity by the Emotet malware has focused much of its attention on victims in the U.S. military and government sectors, leading the Department of Homeland Security to issue a warning about the spike in infections and targeting tactics.
Emotet is by no means a new threat, having been active for about six years now, but the threat actors behind it continually change their tactics and adapt to network defenses. A few months ago, Emotet began using a new technique post-infection that involved gathering the contents of a victim’s email inbox and then building new messages from existing threads. The malware will then insert a malicious attachment to the new message and send it to the recipient of the original emails, a tactic that takes advantage of the recipient’s trust of the sender.
This technique has proven to be quite effective and is ingenious in its simplicity. The Emotet-generated malicious emails often have text that looks completely legitimate and appropriate to the conversation in the existing thread, adding to the authenticity of the message. In order for this tactic to work, Emotet only needs to infect one victim in a given organization, or even a victim adjacent to the organization, such as a supplier, contractor, or customer. Anyone with an existing trust relationship is good enough.
In December and January, researchers with the Cisco Talos Intelligence Group noticed a major increase in the volume of Emotet-infected emails coming from and going to addresses in military and government domains.
“Looking at the individual messages sometimes allows us to determine the identity of the Emotet victim and whether that victim is internal or external to the recipient organization. After all, Emotet wants recipients of its messages to recognize who the message came from as part of their social engineering efforts. Unfortunately, this doesn't work 100 percent of the time, because some of the messages sent by Emotet strips the original victim's personal data and drops the TLD in an attempt to impersonate only the organization. This results in the unintentionally comical reduction of domains like ‘us.af.mil’ to simply ‘Us.af’,” a Talos analysis says.
“However, more often, Emotet will leave the contact information for the individual victim inside the propagation email. The message may also include the contents of a previous email exchange between the two recipients, just to add extra authenticity. For example, the following message was sent by Emotet to an individual working for U.S. Sen. Cory Booker. The From header and signature generated by Emotet both suggest that this message originated from an infected colleague at ‘booker.senate.gov’.”
The secondary issue with Emotet infections is the potential collateral damage once the malware is on a network. Through its theft of email contents, Emotet may have access to confidential information that could be used in other operations. This hasn’t been an observed technique from the Emotet attackers, but the potential certainly is there.
In an alert published Wednesday, the Cybersecurity and Infrastructure Security Agency warned about just such an issue.
“Emotet is a sophisticated Trojan that commonly functions as a downloader or dropper of other malware. Emotet primarily spreads via malicious email attachments and attempts to proliferate within a network by brute forcing user credentials and writing to shared drives. If successful, an attacker could use an Emotet infection to obtain sensitive information. Such an attack could result in proprietary information and financial loss as well as disruption to operations and harm to reputation,” the CISA alert says.