
By Nick Biasini, Edmund Brumaghin, and Jaeson Schultz.
Emotet is one of the most heavily distributed malware families today. Cisco Talos observes large quantities of Emotet emails being sent to individuals and organizations around the world on an almost daily basis. These emails are typically sent automatically by previously infected systems attempting to infect new systems with Emotet to continue growing the size of the botnets associated with this threat. Emotet is often the initial malware that is delivered as part of a multi-stage infection process and is not targeted in nature. Emotet has impacted systems in virtually every country on the planet over the past several years and often leads to high impact security incidents as the network access it provides to adversaries enables further attacks, such as big-game hunting and double-extortion ransomware attacks.
Cisco Talos obtained ownership of several domains that Emotet uses to send SMTP communications. We leveraged these domains to sinkhole email communications originating from the Emotet botnets for the purposes of observing the characteristics of these email campaigns over time and to gain additional insight into the scope and profile of Emotet infections and the organizations being impacted by this threat. Emotet has been observed taking extended breaks over the past few years, and 2020 was no exception. Let's take a look at what Emotet has been up to in 2020 and the effect it's had on the internet as a whole.
Emotet background
Emotet began its life as a banking trojan, but over the years, it evolved into what can now be classified as a highly modular threat that adversaries leverage for a variety of purposes. In recent years, it has often been used as a "beachhead" in victim networks as it provides initial access and long-term persistence that malicious adversaries can use to conduct further intrusion activities from within infected networks. In many cases, it is used as the initial payload in a multi-stage infection process and can be operational in victim networks for extended periods of time before adversaries choose to leverage the access it provides to further attack organization. This is an important consideration for network defenders as system backups may be compromised as a result of long-term infections that reside in systems in the environment.
There are several other malware families that are also often delivered alongside Emotet such as Trickbot, Qakbot and others. Many network-based ransomware incidents, such as those conducted by the operators of Ryuk ransomware, can be traced back to initial network access gained via Emotet. Over the past few years, Emotet has periodically taken breaks from sending spam messages, with periods of inactivity ranging from weeks to months in several cases. It is important to note that while these periods of inactivity correspond to lack of spam distribution, the botnets are typically still operational during these periods and as such, previously infected systems can still be leveraged for intrusions.
Organizations and network defenders should be aware of the threat posed by Emotet and ensure that they have strategies in place to prevent compromise, detect infections within their environments, and ensure that their backup and recovery strategies compensate for situations in which the malware may have been resident for extended periods prior to discovery.
Sinkholing Emotet SMTP domains
Several top-level domains (TLDs) that are widely used across the internet exhibit interesting behavior when Domain Name System (DNS) resolution is attempted for domains that do not exist or are not actively registered. In many cases, the TLDs are configured to resolve non-existent domains to a specific IP address. Whenever the name servers associated with these TLDs receive resolution requests from clients on the internet for domains that are not actively configured to resolve to a specific IP address, they respond with a default IP address value, regardless of whether the domain being queried is invalid or has ever existed. Upon discovering this behavior, we leveraged the official list of TLDs available from ICANN to determine which TLDs operate in this manner. We built a list of TLDs that exhibit the aforementioned behavior by rotating through this list of TLDs and requesting name resolution for domains that do not exist.
For example, the name resolution activity for a C2 domain previously associated with Phorpiex that has since been abandoned, is shown below. While the adversary no longer controls the domain, orphaned bots are still continuing to reach out to it, attempting to establish a C2 channel. Note that it currently resolves to the default IP address returned for nonexistent domains in the WS TLD as previously described earlier in this section.
Sinkholing is the process of redirecting this malicious botnet traffic away from its intended source and into a harmless destination. This has provided visibility into hundreds of thousands of Emotet emails each month. It has also allowed us to determine the scope of the systems sending malicious spam, profile the geographic and industry makeup of these systems, and identify organizations suffering from resident Emotet infections.
Emotet activity in 2020
Emotet spent the early part of 2020 churning out large quantities of malicious email in volumes consistent with what has been observed from this threat in recent years. As the COVID-19 pandemic began to spread across the globe, malware distributors took advantage of the public's focus on this emerging crisis — and Emotet was no exception. The use of current events in phishing and malspam lures is not a new technique and has been observed being used by various threat actors as described in detail here.
Emotet occasionally takes periodic breaks from sending malicious spam emails, as seen earlier this year. Starting in February 2020, Emotet took an extended break from spamming, with low volumes of Emotet spam emails being observed for a period of several months. It spun up again in June with massive amounts of spam being sent starting in July and continuing through to the present time, with intermittent pauses along the way. The following graph graph shows the relative volumes of spam for each month in 2020.
Most of the emails associated with Emotet feature the use of malicious attachments that function as malware downloaders. Opening the attached files and enabling the malicious contents causes them to reach out to the attacker's distribution infrastructure to download additional malicious content that is then executed on the victim's system, thus infecting it with malware. The overwhelming majority of attachments leverage malicious Microsoft Office documents (i.e. DOC, DOCX, XLS, XLSX) however Emotet malspam has also been observed featuring ZIP archives, PDFs, and more. Below is a chart showing the distribution of attachments by file type based on telemetry data collected over the past twelve months.
Investigating the character count distribution associated with malicious attachment filenames shows that there is a wide range in terms of the approximate length of filenames associated with Emotet malspam, with the most common file names used being 18 characters in length (including the file extension).
Profiling infected systems
We identified infected systems located in more than 200 different countries. This highlights how widespread Emotet's reach is, affecting virtually every country in the world. Below is a map showing the geographic regions associated with the largest number of infected systems that we observed.
Emotet is a heavily distributed threat that has wide-ranging impacts on a variety of different industries and geographic regions. Malicious activity associated with this threat has continued throughout 2020 and will likely continue for the foreseeable future.
Conclusion
Coverage
Ways our customers can detect and block this threat are listed below.
Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware detailed in this post. Below is a screenshot showing how AMP can protect customers from this threat. Try AMP for free here.
Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.
Email Security can block malicious emails sent by threat actors as part of their campaign.
Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.
Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.
Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.
Additional protections with context to your specific environment and threat data are available from the Firepower Management Center.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.