Emotet remained the most widespread malware observed in September for the third month on the trot, affecting 14% of organisations worldwide, after coming back online over the summer following one of its customary breaks, according to data compiled from Check Point’s ThreatCloud monitoring service.
The highly dangerous Emotet malware started life as a banking trojan, but is now more widely used to distribute other malware or malicious campaigns. It has multiple tools in its kit that allows it to maintain persistence on victim systems and escape detection and is most usually spread via malicious links in phishing emails. Once the links are clicked, the Emotet payload is launched and the malware then attempts to proliferate across the network by brute-forcing credentials and writing to shared drives – these worm-like features make it quite hard to combat.
Check Point found the next most widespread malware in September was banking trojan Trickbot, which has recently been updated with some new features that make it more flexible as an element of multipurpose criminal campaigns, and Dridex, a Windows-specific trojan spread via spam email attachments that steals data.
Check Point also noted the emergence of an updated version of Valak, which began life in 2019 as a malware dropper but has now evolved into an information stealer capable of exfiltrating sensitive information from Microsoft Exchange mail systems, user credentials and domain certificates. It spreads through spam campaigns as a malicious .doc file.
“These new campaigns are another example of how threat actors look to maximise their investments in established, proven forms of malware,” said Check Point director of threat intelligence and research Maya Horowitz.
“Together with the updated versions of Qbot, which emerged in August, Valak is intended to enable data and credentials theft at scale from organisations and individuals. Businesses should look at deploying anti-malware solutions that can prevent such content from reaching users and advise their employees to be cautious when opening emails, even when they appear to be from a trusted source.”
Such has been the spread of Emotet in the past few weeks that the US Cybersecurity and Infrastructure Security Agency (CISA) took the step of issuing a specific alert on 6 October.
“Since August, CISA and MS-ISAC [the Multi-State Information Sharing and Analysis Center] have seen a significant increase in malicious cyber actors targeting state and local governments with Emotet phishing emails. This increase has rendered Emotet one of the most prevalent ongoing threats,” said the agency.
Chloé Messdaghi, Point3 Security
“The resurgence of Emotet this year has been particularly dangerous and governments around the world have been warning about it,” said Chloé Messdaghi, strategy vice-president at Point3 Security.
“I’m glad to see CISA pushing the messaging and bringing awareness to this serious threat. What’s troubling is that so many city, county and state authorities are still running older tech, which makes them far more vulnerable to attacks and data exfiltration, as well as to innuendo about the security and reliability of our upcoming elections.”
Dan Piazza, technical product manager at Stealthbits Technologies, said: “The surge in evolved Emotet attacks perfectly exemplifies the need to continuously educate users on how to detect and avoid phishing emails. Although spam filters and other methods of blocking malicious emails should be in place for all organisations, it only takes one email to get through and successfully trick a user for Emotet to start moving laterally throughout a network and eventually into domain admin rights.
“Emotet will also hijack legitimate, existing email threads once a host has been infected, so users need to be wary of every email they receive and not just new threads from fake or spoofed addresses.
“Unfortunately, it’s inevitable that a user will eventually slip up, succumb to a phishing attack, and become infected. That’s when Emotet starts to move laterally through the network until they become a domain admin.
“However, it’s possible to block this attack by using a combination of real-time threat detection and response as well as privileged access management, ultimately reducing the standing privilege in a network to zero. As long as Emotet can’t gain domain admin privileges, the scope of the attack can be greatly reduced – which also buys time for the security team to remove the malware,” said Piazza.
Meanwhile, researchers at Proofpoint recently observed one group sending thousands of Emotet-laced emails with the subject line “Team Blue Take Action” to trick potential volunteers for Democrat Joe Biden’s presidential campaign into clicking, using body text grabbed directly from the Democratic National Committee’s website. In this case, Emotet was being used as the downloader for Qbot.
In a sign that threats are now rapidly coalescing around the pivotal US election, Proofpoint has also spotted similar emails using the hospitalisation of president Trump with Covid-19 as a lure.