Recently, HP-Bromium threat researchers released a report on notable malware trends, including Emotet’s activities, in the third quarter of 2020. Despite its origin as a banking trojan, Emotet has emerged as a loader to provide access to compromised systems to third-party threat groups to deploy secondary payloads (TrickBot, QakBot), as well as human-operated ransomware.
What’s in the report?
According to the report, Emotet’s activities have increased by over 1,200% in Q3 compared to Q2, suggesting a huge surge in ransomware campaigns.
- In this quarter, Emotet operators have been seen tricking users into running a malicious Word document embedded with payloads.
- Malicious Word attachment naming was automated by using templates in nine languages—English, French, German, Greek, Hindi, Italian, Japanese, Spanish, and Vietnamese.
- Japanese and Australian organizations were the most affected accounting for 32% and 20% of recipients, respectively, due to the resurgent Emotet spam activity in Q3.
- Emotet’s operators have consistently targeted enterprises with thread hijacking techniques to compromise the mailbox of a user on a system and subsequently, exfiltrate it to the malware’s C&C servers.
- In Q3, the memory corruption vulnerability (CVE-2017-11882) in Microsoft Office was one of the most targeted vulnerabilities.
- Trojans (43%) and potentially unwanted applications (21%) were the most common malware types isolated by HP’s security product.
- In addition, the researchers detected several TrickBot spam campaigns, a July campaign having embedded payloads, while a larger campaign in September having a low detection rate.
Recent Emotet attacks
- Recently, Emotet operators were seen employing Halloween-themed spam campaigns to take advantage of Halloween festivities by inviting recipients to a Halloween party.
- Emotet was found sending spam emails pretending to be fake feature updates for Microsoft Word and Windows Update to infect corporate or government networks.
The FBI and CISA have recommended implementing group policy objects, firewall rules, antivirus solutions, email filters, among other key instructions to prevent malware threats such as Emotet.