Cybersecurity researchers are sounding the alarm about Emotet, a powerful email malware that is now being used to attack U.S. government and military targets.
After a brief break over the holidays, security companies are now seeing a resurgence in how often the malware is used against businesses and government entities.
In a blog post and interview, Cisco Talos researchers Jaeson Schultz and Nick Biasini explained why Emotet has become one of the most devastating attacks in a cybercriminal’s arsenal.
The malware attacks email accounts and is able to spread by infiltrating other contacts in the inbox and responding to threads with malicious links or attachments.
“One of the things that makes Emotet so interesting is the way that it harvests email addresses, and actually responds to threads,” Biasini said in an interview.
“Think about it from your own perspective. If you receive a spam message that’s from someone you’ve never heard of, you’re likely to delete it. If that email comes from someone you know, the likelihood of clicking on it goes up. And that number goes up even further when it’s a reply to a thread that you already had going with that person,” Biasini said.
“You can start to understand why this is becoming such a big problem and why it’s so effective at what it does,” he added.
“We track it heavily, as it’s continuing to spin up and send out email messages, we pick up on that quickly. Emotet is everywhere. I see Emotet infections and Emotet traffic happening all the time. It’s an opportunistic threat, so as it comprises a system, harvest email addresses off of it and use other email addresses to attack.”
SEE: 10 ways to minimize fileless malware infections (free PDF) (TechRepublic)
Schultz wrote in his blog post that Emotet was “one of the most prolific vehicles for delivering malware that we have seen in modern times,” because it takes stock of the people who you email with the most and sends those people malicious messages, understanding that people are more likely to open emails from friends and longtime colleagues.
According to his research, hackers using Emotet have pivoted over the past few months to attack .mil (U.S. military) and .gov (U.S./state government) top-level domains
“Sometime in the past few months, Emotet was able to successfully compromise one or more persons working for or with the U.S. government,” Schultz said.
“As a result of this, Talos saw a rapid increase in the number of infectious Emotet messages directed at the .mil and .gov TLDs in December 2019. Now that Emotet is back from their Orthodox Christmas vacation, that trend has continued into January 2020.”
Cisco Talos researchers showed that Emotet has a remarkable ability to mimic email language, even adding previous email threads to a message as well as contact information.
In one example included in Schultz’s blog post, people behind one Emotet attack sent emails to someone working for U.S. Sen. Cory Booker. The Emotet email included signatures that showed it originated from someone else using the “booker.senate.gov” tag.
Emotet’s ability to mimic email lingo and penchant for responding to email threads makes it difficult for anti-spam systems to stop. But both Schultz and Biasini said security teams should be able to tell when they’re being attacked by the sheer volume of emails being received.
The way Emotet is being deployed now makes it even more dangerous, and Biasini said enterprises had to protect themselves with high-level email security services as well as some sort of endpoint or malware protection software.
“Emotet is a financially motivated malware, crimeware, so its goal is to make money. That’s what it does. Beyond that, it’s hard to say who is actually behind it, other than its financially motivated in nature,” he said.
“There’s a lot of examples of Emotet being an initial infection vector where you see Emotet but then you see a Trickbot is dropped and that’s followed up by a ransomware. So if you’ve seen a lot of these big game hunting attacks, Emotet plays a role in that as well. That’s another reason why it’s such an important threat that enterprises need to be aware of.”