Posted on April 12, 2019 at 12:52 PM
Malware Emotet Using North Korean Tricks to Show Its Still King
Emotet is possibly the most dangerous malware in the world that is not sponsored by a government and with the new tactics they are using, they have upgraded their arsenal.
The hacking gang known around the world for making Emotet has been using a new trick that was previously the domain of nation-state hacking groups. Emotet has been spotted reviving old email threads and injecting links to malicious software in them. The activity was spotted this week and the user might receive spoofed emails from previous correspondences. The email will be part of a chain and will look like they come from someone they know, but will actually come from an Emotet server.
The conversation is not changed in the least, the only thing that happens is that Emtoet would insert a URL at the top of the email and this URL would link to a malicious document or a file that Emotet had infected with malware.
North Korean tactic stolen by Emotet
This tactic is new to the public, but cybersecurity researchers who follow the actions of government-sponsored hacking groups will immediately recognize it. Palo Alto Networks’ reported that a group believed to have the financial backing of North Korea was inserting malware into old email threads. The hack used the CVE-2017-0199 Microsoft Word Office/WordPad Remote Code Execution Vulnerability and hacking into individual accounts one by one and manually hijacking old email threads.
However, Emotet has gone another route. They are leveraging threads that were mass-harvested form previous victims. The majority of the threads come from victims of a hack back in October of last year. The module they dropped in October harvested millions of emails and many security experts were worried that it was only a part of a larger plan.
These experts noticed last month that Emotet tried to use the emails as a spam distribution network. They only began using the harvested emails at a larger scale last week. The emails are being used to fake replies in existing email chains at a scale never seen before in the cyber security world. All of the spam coming from Emotet’s hacking is coming from emails collected prior to November 2018. Many in the industry believe that newer emails that have been infected since then, will only start being used sometime in the future.
German as well as English users at risk
While it would mainly be English speaking users that were being hacked and used by Emotet, says Joseph Roosen who is a security researcher for Cryptolaemus. It seems that German language users can expect to see the spam and be targetted soon enough.
What makes this spam attack so serious is that both of Emotet’s botnet clusters are being used for this particular campaign. They are usually split and left doing different things so when both do one thing at the same time it raises questions in the infosec community. Particularly since the templates used for the spam and hijacking are very limited compared to the regular spam templates that Emotet uses.
If you are receiving an updated reply from an old email conversation, that means you are likely being targetted and that at least one person in the email chain has a compromised email address. This is particularly serious for businesses, as Emotet are dangerous enough in the public, but if they have access to a business network, they could do untold damage.
While Emotet started off as a simple baking trojan it has become so much more over the last few years. The botnet that Emotet allows it’s creators to run is popular among underground circles.
