Since resuming operations after a holiday hiatus, the malicious actors behind the Emotet banking trojan network have reportedly targeted at least 82 countries with spam and crafted a special phishing campaign targeting the United Nations.
Meanwhile, an additional report has revealed an increase in Emotet phishing activity targeting government and military entities over the last few months of 2019, with signs of this trend continuing into the new year.
Citing researcher Joseph Roosen, and email security firm Cofense, BleepingComputer reported earlier this week that the Emotet network launched a major spam assault on Jan. 13, with a strong focus on the U.S., after a three-week break in activity.
Reportedly, many of the phishing emails purported to contain business-related Microsoft Word attachments such as proof-of-delivery documents and agreements. Users who opened these attachments and enabled the malicious macros embedded within were subsequently infected with Emotet.
A particularly targeted Emotet phishing mail was sent to 600 United Nations email addresses, BleepingComputer stated in a second report. The email, also spotted by Cofense researchers, appeared to be from representatives with the Permanent Mission or Norway, falsely suggesting that there is a problem with an attached agreement and instructing the recipient to review the document.
Though still described as a banking trojan, Emotet can also steal data and credentials and act as a downloader that leads to secondary malicious payloads like Ryuk ransomware and the TrickBot banking trojan.
Additionally, as a mode of self-propagation, Emotet can access a victim’s inbox and reply to the various unread emails contained within, using content stolen from the unread emails to impersonate the original victim. These reply emails are delivered via a network of stolen outbound SMTP accounts, all in an attempt to trick the victim’s email contacts into opening up a malicious attachment and become infected themselves, explains Cisco Talos in a blog post report today.
It is this man-in-the-middle functionality, Talos continues, that likely has caused a recent uptick in Emotet spam messages directed at military (.mil) and government (.gov) TLDs. The volume of these particular emails rose steadily from September through December 2019, peaking in the last month of the year. Following a holiday break, it appears the trend is continuing, though in smaller quantities.
Talos believes at least some this activity was precipitated by Emotet successfully compromising at least one person working in or for U.S. government. From there, the malware issued out additional phishing emails to that person or persons’ contacts.
Talos cites as an example an Emotet spam email that was sent to an individual working for U.S. Sen. Cory Booker, after previously infecting someone at booker.senate.gov. It is not indicated whether the latter person was also infected via another contact person.
“One of the most cunning aspects of Emotet’s propagation is the way they use social engineering of personal/professional relationships to facilitate further malware infection. When receiving a message from a trusted friend or colleague, it is quite natural for recipients to think, ‘ can safely open this email attachment because it is in reply to a message I sent, or from someone I know,’” wrote blog post author Jason Schultz, a technical leader with Talos. “Any person or organization who has sent an email to an Emotet victim could be targeted by Emotet’s propagation messages. The more interaction with the victim you have, the more likely you are to receive malicious email from Emotet. Like a meandering watering hole attack, this is how Emotet crosses organizational boundaries with the potential to affect entire industries or even countries.”