Emotet Returns, Spreads via Hijacked Email Conversations

Hijacked Email

Following a 4-month vacation, Emotet’s operators are back at it, borrowing a recently introduced spear-phishing technique to deliver their malware: hijacking legitimate email conversations.

Also known as Geodo, Emotet has developed to steal other kinds of delicate data, and to become downloader for other malware families, such as TrickBot Trojan and Ryuk ransomware.

Emotet has been away from the threat landscape since the beginning of June but the activity surrounding it began again on September 16.

The fresh campaign appears to be common and targets consumers across Europe, but also in the US. As part of this distribution attempt, hundreds of thousands of emails were sent.

Malwarebytes claims in the early hours of Monday that Emotet received malicious messages with templates in German, Polish and Italian. The attacks have since spread to Austria, Switzerland, Spain, the United Kingdom and the United States.

One of the new campaign’s most remarkable features is the reuse of stolen email contents to trick the recipients into opening attached or connected Word documents with malicious macros to pick and run Emotet.

“Once the email of a victim has been swept away, Emotet builds fresh attack posts in response to unread email texts of that victim, citing the bodies of actual texts in the threads,” Cisco Talos notes.

This removal of lawful e-mail threads guarantees greater success rates because the recipient is more likely to open an attachment obtained as a response in an continuing talk.

The techniques involve not only taking over current email discussions, but also making it hard to filter malicious email for spam-free applications by means of actual topic headers and email contents.

Furthermore, Emotet gleaned the credentials of victims for sending outbound emails and circulated data to other bots in its network, which then used credentials to send outbound Emotet attack emails.

In April 2019, Emotet used stolen email discussions in only 8.5% of the attacks. In approximately one quarter of Emotet’s outbound messages, stolen email threads emerged this week.

Malware providers also appear to have a significantly broad database with prospective recipients to draw from, with only one malicious message received by 97.5% of Emotet’s recipients in April 2019.

“While we often see threat performers taking up rehabilitation breaks, changing payloads or even on vacation, breakages are generally not long, especially for malware that is so prominent in the threat scenery. We lately observed control traffic and anticipated that campaigns will resume in the near future, “Proofpoint Sherrod DeGrippo, Senior Threat Research and Detection Director, told SecurityWeek in an emailed declaration.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.