Emotet back from Christmas break to wreak havoc on networks


Massive campaign by APT group targets pharma companies in the US, Mexico, Germany, Japan and Australia amongst other regions and sectors

Emotet has returned to victim’s inboxes after a Christmas hiatus, according to security researchers. The malware has been observed targeting pharmaceutical companies in the US, Mexico, Germany, Japan and Australia amongst other regions and sectors.

The Trojan-turned-botnet is being distributed by threat group TA542, using attachments and malicious links containing the botnet payload, wrote Sherrod DeGrippo, senior director of threat research and detection for Proofpoint. 

Emotet is one of the world’s most disruptive threats and organisations worldwide should take its return seriously, DeGrippo warned.

"They have a massive sending infrastructure—nobody hits volumes like they do."

TA542’s recent uptick in activity shows that threat actors work smarter not harder, she added. 

"They took 150 days off in 2019 and even with breaks, they’re incredibly effective. When TA542 returned in September 2019 from a summer hiatus, they accounted for over 11% of all malicious attachments we saw globally for the entire third quarter of that year despite being active for only two weeks during that three month period," she wrote.

The hacking group’s new campaign has focused on North America and the pharmaceutical industry in particular. It soon spread to other countries. 

"At the same time, they expanded the languages used in their email lures from English on Monday to Chinese, German, Italian, Japanese and Spanish. As usual for this group, they’ve expanded to target a variety of industries," she wrote.

DiGrippo added that TA542 is capable of incredible volumes in a short period of time, making them a significant threat. 

"On Monday alone we saw nearly three quarters of a million messages and they’re already fast approaching one million messages total. To give this context, this isn’t the highest volume we’ve ever seen from this actor: that was over one million messages in one day. But Monday was the biggest volume since April 2019," she wrote.

Bring a modular robust botnet, Emotet is capable of downloading and installing a range of additional malware that often steal information and sends malicious email. It can also spread across networks and use infected devices to launch further attacks. 

"Emotet is a highly effective malware being used by a highly effective and sophisticated threat group with a large global infrastructure," wrote DiGrippo.

It’s important that security teams continuously monitor and secure their email channels and educate users regarding the increased risks associated with email attachments, she suggested.

Users must be sceptical and vigilant of any messages they receive encouraging urgent action, Ed Bishop, chief technology officer at Tessian, told SC Media UK. 

"However, relying on human vigilance alone won't adequately protect organisations from threats such as these. People make mistakes and are easily fooled. Organisations need layered defences to help stop people downloading malicious attachments or clicking on malicious links," he said.

Emotet is quite difficult to mitigate against with any one security control because of the various techniques and methods it employs, KnowBe4 security awareness advocate Javvad Malik told SC Media UK.

"While it is important to have technical controls in place, many of the social engineering techniques can bypass technical controls. Therefore, it's vital that organisations invest in providing security awareness and training to employees so that they can be better equipped to identify and report any suspicious activity," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews