How Emotet lures victims: Amazon, DHL, and war in Ukraine


Emotet is back at the top of the list of prevalent and dangerous malware families, with tens of thousands of malspam campaigns conducted over the last months.

Security company Infobox observed over 60,000 malspam campaigns distributing 13,000 file hashes.

ADVERTISEMENT

“Emotet is a notorious malware family that has evolved significantly over the years: from a simple banking trojan to a botnet to an infrastructure for content delivery,” the company said.

Taken down by law enforcement in January 2021, Emotet was offline only for 11 months. Threat actors developed better detection evasion techniques, and now Emotet is back as one of the most prevalent threats to organizations.

“A consistent feature of Emotet has been its use of email as a delivery vector. Microsoft Office documents have been the attachments of choice, and Excel files have been the most prevalent of these documents,” Infoblox said.

The observed malspam campaigns share some characteristics. They use “RE:,” “FW:” and other generic lures in the subject lines, as well as the shipping and invoice-related keywords, and often spoof Amazon and DHL to fool the victims.

“Some subject lines contain Ukraine-themed lures, which make the emails appear up-to-date with important events happening in the world.”

Emotet lures

These lures, however, are not exclusive to Emotet – threat actors behind different attack vectors often impersonate popular brands and exploit hot topics for their benefit.

Crooks try to trick recipients into opening the attachment, which triggers malicious XLM macros and starts the chain of an Emotet infection.

ADVERTISEMENT

Often, the phishing email contains a single Microsoft Excel file, and sometimes attachments are zip archives.

“In all cases where the attachment is a zip archive, the contents are an Excel document. One possible reason Microsoft Excel files are the preferred attachment type is that the corporate world moves slowly, and the patches or Microsoft updates are deployed very slowly, and this buys attackers additional time to infect the victims’ computers,” Infoblox noted.

In January, Microsoft released an advisory on disabling Excel XLM macros to mitigate the threat. However, Infoblox observed high volumes of malspam with macro-enabled attachments.

Infoblox analysis indicated that Emotet’s command and control IPs are part of the virtual private cloud (VPC) infrastructure and that the threat actor behind Emotet pays for the service.

“Before the takedown, most of the hosting providers used were telecommunications providers. Since the takedown, there has been an increase in the number of hosting providers that offer VPC solutions, which provide more privacy and make it more difficult for law enforcement agencies to conduct takedowns,” the company noted.