Emotet Authors Refresh Attacks After Orthodox Christmas

What Is It?

A report from researchers at Cisco TALOS describes the detection of recent Emotet trojan campaign.

Currently, Emotet is one of the most prolific of trojans with a history of being continuously updated by its authors.

Initially released as a banking trojan, Emotet is often deployed as an initial malware infection, downloading various payloads, such as trojans, information stealers and ransomware. Recently, Emotet has been used as the first component in an infection chain, followed by Trickbot and ends with Ryuk ransomware. Several well-distributed reports, including Dark Reading, cite Ryuk as responsible for the disruption to printing presses of major newspapers between Christmas Day 2018 and New Year’s Day 2019.

The researchers found these new campaigns occurred after a brief period of limited Emotet activity, coinciding with the celebration of Orthodox Christmas in Eastern European regions. As has been the case for some time, the infection vector is spam emails, containing either a Microsoft Word document attachment with a malicious macro or a direct download URL in the body of the email.

Variants of Emotet, distributed by these campaigns, add new functionality to the malware’s spamming component. This new feature allows Emotet to check if the infected system’s IP address already exists on several spam blacklists, such as Spamhaus or SpamCop. This will assist in Emotet being more reliably distributed and reduces the potential network noise generated on infected systems which are already on blacklists. This may allow the malware to remain undetected for an even longer period of time.

How Does It Propagate?

Though Emotet malware can, at times, download self-propagating payloads, Emotet itself does not contain the necessary code to self-propagate.

There are two main attack vectors utilized by Emotet, both using spam emails for distribution. The first is a Microsoft Word document attachment that contains malicious macros. The second is a malicious URL directly listed in the spam email.

When/How Did BluVector Detect It?

A total of 355 malicious Word document samples and 105 Emotet executable samples were retrieved. BluVector’s patented Machine Learning Engine (MLE) detected all 460 samples. Regression testing has shown these samples would have been detected an average of 57 months prior to their release.

All Threat Reports