The malware DHS has described as the "most destructive ever" is surging yet again. This is nothing new; Emotet tends to cyclically jump in activity and then subside as reused IPs are found and blocked. What makes this campaign interesting is looking at why Emotet is as popular as it is, who the attackers are choosing to target, and in what volume. All these factors together have led CISA and other institutions to issue alerts warning about the threat.
The Cybereason team is seeing a dramatic uptick in the incidence of Emotet over the past few months. Just this latest surge, which began last week, started with nearly three quarters of a million messages in one day. If you are worried you may be at risk, download our free tool, Emotet-Locker, which helps Windows machines prevent specific strains of the malware.
Emotet was first identified as early as 2014 as a trojan used to steal banking credentials and has quickly iterated and updated ever since. Shortly after Version 1 was released, it was updated to Version 2 with money transfer, malspam, and banking features. By January 2015, it had evolved yet again with evasive features.
Emotet’s capabilities have continued to advance significantly into a type of modular malware. Because of its modular nature and the practicality of Emotet’s distribution features, it is often used by attackers to gain a foothold in a target environment.
Emotet’s main infection vector is through phishing attacks, which use email with malicious links or Macro-embedded Microsoft Word files to spread. Once deployed, Emotet can launch different malware payloads based on the target machine and its goal. In recent years, it has become one of the most commonly employed commodity malware.
We’ve seen Emotet leveraged this way in the past with severe consequences, like when it was used to deploy TrickBot and Ryuk in the same incident. TrickBot is a modular trojan that can be used to harvest emails and other credentials, as well as Bitcoin wallets. Meanwhile, Ryuk is a type of ransomware that can not only steal credentials, but also target high-profile data and servers to use for ransom. Deploying these two different types of malware at the same time during the same attack is a brutal awakening for an affected organization, who can lose valuable personal data, passwords, mail files, browser data, registry keys, and more.
Emotet has become a popular if not prolific tool for attackers over the past six years, and for good reason. Its modular architecture makes it easy to customize based on the target environment and what the attacker wants to steal. It’s often used by attackers to gain a foothold in victims’ environments and is a dynamic addition to an attackers malware arsenal. Oftentimes, attackers will leverage Emotet to deploy ransomware with devastating consequences. Emotet infections have cost SLTT governments up to $1 million per incident to remediate, according to CISA.
It can also easily be spread via a shotgun approach for maximum impact. Attackers use a simple phishing email sent to millions of accounts on the probability that someone, somewhere will click on the link or download the file and become infected. This is a low cost, high reward way to find targets to infect, and something we have seen with Emotet regularly. There have been many instances where attackers have spammed organizations with Emotet to raise the probability of infection without any consequences to themselves.
The creators of Emotet have a penchant for selling Emotet on a Malware-as-a-Service (MaaS) model. With MaaS, just about anyone can start attacking and stealing data, whether they create malware or not. Many malware developers treat MaaS just like a Software-as-a-Service business, providing an easy to use interface and regular feature updates. They often even have dedicated support teams to service "customers" faster, and showcase positive reviews, as with the Raccoon Infostealer.
MaaS dramatically lowers the barrier to entry into the cybercrime space, down to non-technical individuals looking to make a quick buck. Further, it only makes it easier for Emotet to spread more rapidly and impact more organizations.
An increase in Emotet activity is targeting US military and federal and state government domains. Attackers have even been able to compromise multiple accounts of individuals working with the US government, despite heightened awareness around cyberattacks following the US-Iran conflict a few weeks ago.
This is not the first time Emotet has been used to target government officials. Last year, Berlin’s high court was targeted by attackers leveraging Emotet, and attackers were able to steal sensitive data. Targeting government organizations is an interesting twist for commodity malware, which ordinarily targets indiscriminately or pinpoints businesses, hospitals, and other institutions.
However, it's important to note that attackers have used Emotet against many different kinds of organizations in the past, not just limited to the government. The spray-and-pray technique looks for the most impact with the least manual work, and when the motive is money, will not necessarily target a specific type of organization.
Emotet has been around for a long time, but its constant evolution has enabled it to stay top-of-mind as a go-to tool for attackers. The ramifications of a successful Emotet infection can be severe because of its modular nature and ability to deploy many different kinds of malware after infection. If you have not been hit by this threat, it's important to leverage these times of calm to strengthen your security and develop constant vigilance .