Tag Archive for: Emotet

Refreshed from its holiday, Emotet has gone phishing • The Register

/in


Emotet is back. After another months-long lull since a spate of attacks in November 2022, the notorious malware operation that has already survived a law enforcement takedown and various periods of inactivity began sending out malicious emails on Tuesday morning.

Researchers with cybersecurity firms Codefense and Cryptolaemus, which track Emotet activity, both reported a sudden startup in the spamming from the botnet. And Palo Alto Networks’ Unit 42 threat intelligence group tweeted about the new activity, with the researchers saying they had “also seen new #Emotet #malspam and the associated malware (inflated Word docs and inflated Emotet Dll files).”

It’s unknown why the operation has started up now after three months of no activity, or how long it will last – the previous spamming in November 2022 lasted two weeks before everything stopped, and even that was preceded by three months of quiet.

However, Emotet’s return has generated a lot of discussion in the cybersecurity world about malware that less than a year ago was ranked by Check Point as the world’s top cyberthreat.

“We are seeing [Emotet’s] Red Dawn templates that are very large coming in at over 500MB,” Cryptolaemus tweeted about the Russia-linked malware operation. “Currently seeing a decent flow of spam … Get ready because here comes fat docs from Ivan!”

An evolving threat

Emotet started life almost a decade ago as a banking trojan, but it soon evolved into a malware delivered through spear-phishing campaigns, including emails that contain malicious Microsoft Word and Excel attachments. In January 2021, law enforcement from the US, UK, Europe, and Ukraine took apart the operation’s infrastructure, but the group resurfaced 10 months later.

“The malware and actors resumed operations with a vengeance and rose back up to become one of the top malware families used in phishing attacks,” cybersecurity outfit AttackIQ wrote in a report last month.

One of Emotet’s attributes has been its flexibility in attachment types used to evade detection signatures, according to AttackIQ.

Codefense writes that the malicious emails being sent this week appear to be replying to email chains that already exist, with ZIP…

Source…

Emotet Botnet Started Distributing Quantum and BlackCat Ransomware

/in


Emotet Botnet

The Emotet malware is now being leveraged by ransomware-as-a-service (RaaS) groups, including Quantum and BlackCat, after Conti’s official retirement from the threat landscape this year.

Emotet started off as a banking trojan in 2014, but updates added to it over time have transformed the malware into a highly potent threat that’s capable of downloading other payloads onto the victim’s machine, which would allow the attacker to control it remotely.

Although the infrastructure associated with the invasive malware loader was taken down as part of a law enforcement effort in January 2021, the Conti ransomware cartel is said to have played an instrumental role in its comeback late last year.

CyberSecurity

“From November 2021 to Conti’s dissolution in June 2022, Emotet was an exclusive Conti ransomware tool, however, the Emotet infection chain is currently attributed to Quantum and BlackCat,” AdvIntel said in an advisory published last week.

Typical attack sequences entail the use of Emotet (aka SpmTools) as an initial access vector to drop Cobalt Strike, which then is used as a post-exploitation tool for ransomware operations.

The notorious Conti ransomware gang may have dissolved, but several of its members remain as active as ever either as part of other ransomware crews like BlackCat and Hive or as independent groups focused on data extortion and other criminal endeavors.

Emotet Botnet

Quantum is also a Conti spin-off group that, in the intervening months, has resorted to the technique of call-back phishing – dubbed BazaCall or BazarCall – as a means to breach targeted networks.

“Conti affiliates use a variety of initial access vectors including phishing, compromised credentials, malware distribution, and exploiting vulnerabilities,” Recorded Future noted in a report published last month.

AdvIntel said it observed over 1,267,000 Emotet infections across the world since the start of the year, with activity peaks registered in February and March coinciding with Russia’s invasion of Ukraine.

CyberSecurity

A second surge in infections occurred between June and July, owing to the use by ransomware groups such as Quantum and BlackCat. Data captured by the cybersecurity firm shows that the most Emotet-targeted country is…

Source…

Emotet Resurfacing as Power Player in Ransomware Wars, Avertium Warns

/in


Avertium, a Top 250 MSSP, releases report that dives deep into the notorious Emotet botnet and warns of its criminal intent.

by D. Howard Kass • Sep 14, 2022

Avertium, a Top 250 MSSP, has released a new threat intelligence report that takes a deep dive on the notorious Emotet botnet and warns organizations of its criminal capabilities.

Emotet has a history of disappearing and re-emerging, most notably going underground following a surgical takedown in eight countries that dismantled the world’s most dangerous malware operation in January 2021. International law enforcement, including the Federal Bureau of Investigation (FBI), gained control of Emotet’s infrastructure. This effort involved hundreds of servers located globally by taking it down from the inside and redirecting the infected machines of victims to a law enforcement environment.

Emotet has been linked to many destructive ransomware infections and associated with TrickBot, Dridex, QakBot, Conti/Ryuk, BitPaymer and REvil-associated attacks. The malware, first discovered as a banking trojan in 2014, evolved over time to become the kingpin platform for cyber hijackers.

Emotet was sold as a service to smaller operatives and criminal groups as an access key to compromised systems vulnerable to data theft and ransomware extortion. Following the law enforcement action, the syndicate disappeared for the next 10 months, but beginning in Q1 2022 reappeared with new tactics and targets.

A Deeper Dive Into Emotet

Here’s what’s new with Emotet:

  • In March 2022 during U.S. tax season, Emotet was pretending to be the IRS and sent fake tax forms and bogus federal tax returns to victims.
  • By July 2022 researchers were reporting Emotet as the top malware threat.
  • Cyber researcher AdvIntel observed a total of 1,267,598 Emotet infections worldwide so far this year. Activity from Emotet peaked between February and March 2022, kicking off during the start of the Russian-Ukraine conflict. On August 8, 2022, AdvIntel confirmed that two education entities in Kansas City were infected with the botnet. Additionally, on August 12,…

Source…

Emotet retains hold as most prevalent malware

/in


Notorious botnet Emotet has held on to its spot as the most widely used malware, according to the latest Global Threat Index from Check Point Research (CPR).

The news comes despite a 50% drop in its global impact in July compared to June. CPR estimates that it affects 7% of organisations worldwide.

In addition, CPR warned that the botnet has added new features and capabilities, such as its latest credit card stealer module developed, and adjustments done in its spreading systems.

Emotet’s popularity comes in spite of its previous ‘deletion’ from the internet. As part of a major police operation at the start of 2021, infrastructure used to deliver the botnet was seized and people accused of being behind it were arrested.

This led to an update being delivered to all infected machines to disable Emotet and its control servers were terminated.

Authorities hoped that this would lead to the death of one of the most prolific botnets in the world, estimated to be operating on around one million devices around the world.

However, it has resurged and regained its position as the top malware threat.

Other than Emotet, CPR identified several other movements in the global malware ecosystem in July.

Formbook is the second most prevalent form of malware, affecting 3% of organisations worldwide. First detected in 2016, this infostealer targets Windows OS where it harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files.

Recommended

Snake Keylogger, a credential stealer, fall from third to eighth place. The month before, it was being spread via malicious Word documents so the decrease in its prevalence could be due in part to Microsoft’s recent confirmation that it will block macros by default.

Replacing it in third place is XMRig, an open-source CPU software used to mine cryptocurrency – this indicates that cybercriminals are fundamentally ‘in it for the money’ despite any higher motivations they may claim, such as hacktivism.

Malibot, which was new to CPR’s report last month, remains a threat to users of mobile banking as it is still the third most prevalent mobile…

Source…