Emotet hijacks email conversation threads to insert links to malware

Emotet gang takes their operation to a whole new level, showing why they're today's most dangerous malware.

Emotet

The Emotet malware gang is now using a tactic that has been previously seen used by nation-state hackers.

The group has been spotted this week reviving old email conversation threads and injecting links to malicious files.

Users involved in the previous email exchanges would receive an email spoofed to appear from one of their previous correspondents, but actually coming from Emotet servers.

The email conversation thread would be left intact, but the Emotet gang would insert an URL at the top of the email that would link to an Emotet-infected file, or attach a malicious document to the existing email thread.

Tactic stolen from North Korean hackers

The tactic isn't new. Back in October 2017, Palo Alto Networks reported that a North Korean hacking group was doing the same, inserting malware into old email threads.

The difference is that the North Korean group was hacking into email accouns, one at a time, to hijack old email threads.

The Emotet gang has taken a different approach. They are leveraging email threads they began mass-harvesting from previously infected victms in October last year.

The group started experimented with hijacking stolen email threads as a spam distribution technique last month, according to a Minerva Labs report, but they began using it at scale this week, according to security firms Cofense and Kryptos Logic, and security researcher Marcus "MalwareTech" Hutchins.

Current Emotet spam appears to be leveraging email conversations that have been stolen prior to November 2018, Cryptolaemus Group security researcher Joseph Roosen told ZDNet in an interview. Cofense believes that more recently harvested email threads will be used in the future.

Enlgish and German email threads are being hijacked

This new Emotet email thread spam isn't limited to Enlgish emails, but both English and German email threads are being revived, Roosen told us.

"The injected reply is usually prefaced with 'Attached is your confidential docs'," he said. "These templates are pretty limited in run and not very numerous compared to the 'normal' [Emotet] malspam," Roosen told ZDNet.

Nevertheless, the Emotet team appears to have put its full attention behind this spam campaign. Normally, the Emotet botnet is split in two clusters, named E1 and E2. Roosen told ZDNet that both clusters are now busy spewing out hijacked email threads.

emotet-dual-infrastructure.png

Image: Trend Micro

If over the course of the following days you receive a reply from an old email thread, this means you're most likely being targeted with Emotet malware.

Furthermore, this also means that at least one person in that email thread has been infected with Emotet in the past.

If it's a business-related thread, this means that one of the employees or companies in that thread has already been compromised by Emotet in the past six months, and might have had sensitive data stolen from their networks already.

Hence, any system administrator seeing one of these emails arriving on their company's email server should start scanning for Emotet artifacts on his internal network right away.

Emotet --today's most dangerous malware

Currently, Emotet is considered one of the most dangerous malware strains. The malware once used to be a banking trojan, but has transformed into a versatile malware "downloader" over the course of the past two years.

Emotet is now a giant botnet of infected computers which its operators are renting to other criminal gangs. For example, reports from CrowdStrike, FireEye, Kryptos Logic, McAfee, IBM, and Cybereason, all say that Emotet has been used as a springboard for the Ryuk, LockerGoga, and BitPaymer ransomware strains.

Microsoft has issued a formal warning about Emotet to businesses around the world in November 2017, when Emotet had finished trasnforming from a banking trojan into a malware downloader.

Since then, Emotet has grown to a massive size. A Spamhaus report put the number of Emotet infections for the months of February and March 2019 at 47,000.

Aaron Higbee, Cofense Co-Founder and CTO, told ZDNet that his company "has seen over 700k infections during the last 12 months of monitoring."

Further, these infections numbers are only scratching the surface, as Emotet bots also have the ability to move laterally inside a compromised network and make even more victims, some of which are harder or near impossible to track accurately, as Hutchins said last week on Twitter.

Higbee similarly agrees.

"[The 700k] number should take in to account further victims due to lateral movement," Higbee told us. "On average, we see approximately 20k+ new unique infections per week. While this number does not reflect the current running total within the botnet, it speaks to the efficacy of the Emotet groups tactics."

In addition, as a testament to Emotet's prevalence on today's malware landscape, the malware is ranked first in the list of top 10 malware strains analyzed on the Any.Run virtualization service, and ranked second in Check Point's top 10 malware families ranking for March 2019 (the ranking is somewhat controversial and inaccurate, but Emotet's rank still gives a good impression of the malware's ubiquity).

Emotet's new tactic is quite efficient

Leveraging email conversation threads for malware distribution isn't new. For example, the URSnif banking trojan has used a similar tactic in previous years --in March and October 2018.

The differenec is that the URSnif gang fabricated the email threads from scratch. It didn't use authentic conversations that recipients are most likely to remember, and inherently trust.

"This is a new tactic for Emotet but it was expected ever since the email stealer module was seen in November of 2018 by KryptosLogic," Roosen told ZDNet.

"I think this is a very dangerous situation for various reasons. Despite the exfiltrated email conversations being dated, the use of previously sent material instills a comfort level for most users because of the familiarity.

"As [we] know, most malspam is sent as a start of a new conversation/thread. It is unique to have an actual reply from a 'known' source with your previous emails referenced. Because of that familiarity, recipients may let the guard down and perform actions they may not normally do with a new email," Roosen told us.

"The other reason why this is dangerous is because of the data contained within the threads of the emails and how it may be a compliance violation and security nightmare. Think GDPR/HIPAA [violations]," Roosen said, pointing ZDNet to an incident where an Emotet infection turned into a data breach notification.

The several security researchers with whom ZDNet spoke today are now keeping a close eye on Emotet to see if upcoming campaigns will start sending these email threads to persons not included in the original email loops, potentially exposing private conversations to outsiders, competing companies, or other interested parties --which would likely act on their innate curiosity and see what their competition or bussiness partners have been up to, and get infected with Emotet along the way. Just remember: Curiosity killed the cat!

Article updated post-publication on April 12 with link to Kryptos Logic report.

Related malware and cybercrime coverage: