What is Emotet Malware and how is it Delivered?
Emotet originally arrived on the scene as a new banking trojan in 2014. In the past 12 months, however, it has evolved from a standalone threat into a prolific distributor of other trojans, including TrickBot, Zeus Panda Banker, IcedID, Qakbot, and Dridex. In 2020, it has become an increasingly pervasive menace, with the United States Computer Emergency Readiness Team (US-CERT) issuing an alert highlighting the serious threat posed by Emotet and describing it as “among the most costly and destructive malware” affecting organizations today.
How is Emotet delivered?
Emotet malspam is very different from other malware email campaigns in that it starts early and lasts throughout the whole day, making it hard to determine the end of one campaign and beginning of the next. However, in general, campaigns start at night between 1:00am EST and 5:00am EST. There are exceptions to this as some campaigns start much later in the day, for example at 3:00pm EST on August 5, 2020.
Emotet campaigns can typically be seen Monday through Friday, and there is no significant sending on weekends. There are some exceptions to this as the actor did not send malicious email on Friday, July 24, Monday, August 3, Tuesday, August 4, or during the period of July 17, 2020 to August 18, 2020.
TA542 continues to leverage social engineering mechanisms to increase infection rates. They compose emails in the appropriate language for the targeted country. They use simple “call to action” emails.
Note: The diagram below depicts one of the many variations of Emotet infections. Emotet is constantly evolving, however, and current samples appear to have ditched the credential-scraping and selfpropagation modules in favor of downloading and deploying other banking trojans with those capabilities.
Emotet by Email
A large percentage of Emotet emails use thread hijacking (replies to previous conversations), and the subjects begin with “Re: ” or “RE: “, such as:
Re: [subject from stolen email]
RE: [subject from stolen email]
Another noticeable trend is using the recipient’s name, job function, company name, or company domain in the subject. The Friendly-From name of the sender address often contains the company name or domain. The email body also often contains the company name, domain or recipient name in the greeting and signature.
Emotet delivery by URLs
We have not observed changes in the way that this actor embeds URLs in emails. The URLs are still frequently hosted on compromised sites, including vulnerable WordPress installations. The URLs hosted on compromised WordPress CMS sites are obvious to spot as they are often hosted with “wp-content”, “wp-admin”, “wp-includes” and other similar folder structure. For other URLs it is not immediately obvious how the actor compromised the sites since there are a range of servers (i.e. Apache, nginx, IIS), databases (i.e. MySQL), languages (i.e. PHP), libraries, plugins, eCommerce frameworks, etc.
The actor typically adds a nested structure of one or more folders on the compromised site and hosts a malicious PHP script that initiates the download of the payload. Currently we only observe URLs leading to Microsoft Word documents with macros.
Conclusion
Since returning from an extended vacation, TA542 email campaigns are once again the most prevalent by message volume by a large margin, with only a few other actors coming close. They have introduced code changes to their malware, such as updates to the email sending module, and picked up a new affiliate payload to distribute (Qbot). They continue to experiment with delivery to new countries. Despite these changes we also noted that many of their other methods and tooling have remained relatively unchanged from previous activity since their return. Current lures, delivery mechanisms, and widespread geographic targeting are all similar to what we have observed in the past. Whether they iterate and change their tactics or continue in the same manner, Emotet remains a highly dangerous threat.
