TA542 Fortifies Emotet’s Attack Tactics

TA542 (aka Mummy Spider), the cybercrime group linked to the development of the Emotet malware, has returned with some new tricks and tactics.

What happened?

  • In August 2020, TA542 was seen running email campaigns distributing Emotet malware, with some innovations. Emotet is now distributing Qbot affiliate “partner01” as the primary payload delivered instead of The Trick.
  • Besides targeting the core set of countries (Germany, Austria, Switzerland, the United States, the United Kingdom, and Canada), the campaigns now also include new areas such as Indonesia, the Philippines, Sweden, and India.

Attack methods

The new campaign is using legitimate stolen email attachments and email threads, to lure the target victims into opening the Word or PDF attachments or URLs linked to the downloads.
  • TA542, additionally, uses country-specific local languages, current affairs, and popular topics such as COVID-19 as lures.
  • The emails also include several personalized details about the victims, such as name, job function, company name, or company domain in the subject line.

Recent highlights

  • Since its re-emergence in mid-July, Emotet malware campaigns were seen sending hundreds of thousands of messages, making it one of the top spreading malware again.
  • In mid-August 2020, researchers disclosed that they had discovered a kill switch to stop this malware in February and were promoting that to reduce the risk. However, the Emotet operators again made some updates to its core loader, thereby disabling the switch itself.

Conclusion

TA542 is not only making fast enhancements in its malware’s attack tactics but also curbing the attempts made to stop its progress. Its expansion to new target geographies clearly indicates its growing ambitions. Therefore, as experts suggest, the best way out for protection from this malware is by staying more vigilant while opening emails and attachments received from unknown senders and leveraging a proactive intel-based approach to conter such threats at an early stage.