Pierluigi Paganini September 19, 2019

Emotet is back, its operators leverage a recently introduced spear-phishing technique to deliver their malware, they are hijacking legitimate email conversations.

In 2019, security experts haven’t detected any activity associated with Emotet since early April, when researchers at Trend Micro have uncovered a malware campaign distributing a new Emotet Trojan variant that compromises devices and uses them as Proxy C2 servers.

In the last four months, Emotet was not spotted in the wild, but now the threat is back with an active spam distribution campaign. Researchers from Malwarebytes observed the Trojan started pumping out spam, spam messages initially targeted users in Germany, Poland and Italy, and also the US. The campaign continues targeting users in Austria, Switzerland, Spain, the United Kingdom, and the United States.

The researchers observed hundreds of thousands of messages were sent as part of this distribution effort.

The most notable characteristic of this campaign is the reuse of stolen email content to trick recipients into opening attachments or clicking on links pointing to weaponized Word documents that were used to fetch and execute Emotet.

“Note the personalization in the email subject lines. Borrowing a tactic from North Korean nation-state actors, Emotet’s creators are bringing back highly sophisticated spear phishing functionality introduced in April 2019, which includes hijacking old email threads and referencing to the user by name.” reads the report.

The operators are hijacking legitimate email threads as part of a social engineering attack.

The same activity was observed by the malware researchers at Cisco Talos group.

“One of Emotet’s most devious methods of self-propagation centers around its use of socially engineered spam emails. Emotet’s reuse of stolen email content is extremely effective.” reads the analysis published by Talos.

“Once they have swiped a victim’s email, Emotet constructs new attack messages in reply to some of that victim’s unread email messages, quoting the bodies of real messages in the threads,”

The operators are also using real subject headers and email contents in the attempt to bypass anti-spam systems.

“By taking over existing email conversations, and including real Subject headers and email contents, the messages become that much more randomized, and more difficult for anti-spam systems to filter.” continues Talos.

Emotet has been swiping email credentials for the victims and sharing them with other bots in its network to send out spam messages.

Experts at Talos discovered that in April 2019, Emotet was using hijacking email conversations in only 8.5% of the infection attempts. The situation is now changed, the latest campaign sees that stolen email threads appeared in nearly one quarter of Emotet’s outbound emails.

“Looking at all the email Emotet attempted to send during the month of April 2019, we found Emotet included stolen email conversations only approximately 8.5 percent of the time. states Talos. Since Emotet has reemerged, however, we have seen an increase in this tactic with stolen email threads appearing in almost one quarter of Emotet’s outbound emails.”

The operators used a large database of potential recipients in this last campaign, experts noticed that 97.5% of Emotet’s recipients reached in April 2019 received only a single spam message.

“Emotet has been around for years, this reemergence comes as no surprise. The good news is, the same advice for staying protected from Emotet remains. To avoid Emotet taking advantage of your email account, be sure to use strong passwords and opt in to multi-factor authentication, if your email provider offers that as an option.” concludes the experts. “Be wary of emails that seem to be unexpected replies to old threads, emails that seem suspiciously out of context, or those messages that come from familiar names but unfamiliar email addresses.”

Pierluigi Paganini

(SecurityAffairs – Emotet, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]