The botnet strategy of threat actors to infect systems in bulk is rampant. Moreover, the degree of severity is also soaring with every botnet campaign. Last week, a highly notorious botnet, deemed to be the most prevalent threat of 2019, resurfaces after a five-month hiatus: Emotet Botnet. According to researchers, the botnet is capable of executing a range of notorious activities like stealing bank credentials, spamming, harvesting and spreading on the local networks through Microsoft Office phishing campaign.
Emotet botnet infects the systems through infected email attachments and tricking victims in clicking the attachments on legitimate email replies sent from the zombie systems on the botnet network.
About Emotet Botnet
First emerged in 2014, Emotet was primarily known as a botnet but was often linked to malware infecting systems and stealing bank credentials. With time the operators of the botnet enhanced their techniques and advanced the banking trojan to install other payloads on the host systems employing a range of other malicious activities.
The Emotet botnet is known to provide rent access to host systems for other cybercrime groups (such as ransomware gangs, other malware operators such as Trickbot, etc.). Due to its ties with other ransomware groups in Germany and Netherlands, many experts conceit Emotnet as a ransomware group.
Emotet is known to emerge after frequent periods of inactivity. Likewise, after a five-month break, it emerges again with a campaign targeting Microsoft Office. The news of its revival is one that no person in the cybersecurity business will enjoy. Emotet Botnet was one of the most notorious threats in 2019. Before going underground in February, it was by far, the most active and sophisticated cybercrime operation.
The victims of the botnet have been spotted in the U.S., U.K., Canada, Austria, Germany, Brazil, Italy and Spain.
The return of Emotet was first spotted by Malwarebytes Labs July 13 and the campaign took off by July 17.
Methodology
The Emotet botnet operates an infrastructure of email spam through its host systems. The campaign is carried out through three different subgroups or server clusters known as the Epoch 1, Epoch 2, and Epoch 3 trying to infect new users with its malware payloads.
The threat actors behind the campaign deploy phishing emails with a malicious MS-Word attachment or a URL to the malicious download. The malicious link downloads and installs Emotet payloads. The email lures are short and in the native language of the recipient. On 25 July, over 800,000 malicious emails were detected to infect users with malicious payloads to increase the size of the payloads.
It is seen when the victim opens the Word file an Office 365 error appears, forcing the user to enable macros. Once enabled, the obfuscated macros launch PowerShell to retrieve run nefarious activities in the background, retrieving Emotet botnet malicious payloads from a remote compromised website.
Emotet Payloads
After penetrating the host systems, the cybercrooks can wait for weeks to take toll of the system by downloading a range of malicious payloads.
In the early stages, Emotet botnet was associated with a malware known as Trickbot but now the new campaign has replaced it by delivering a banking trojan named Qakbot (or Qbot).
Being active since 2008, Qakbot is a vogue banking trojan with the ability to steal data and credentials of bank customers. It has victimised various giant financial institutions including JPMorgan Chase, Citibank, Bank of America, Citizens, Capital One and Wells Fargo. In 2014, Qbot compromised 800,000 banking credentials in a single campaign.
According to Proofpoint, threat actor TA542 is believed to be behind the campaign. The hacking group is also known as Mummy Spider and Gold Crestwood.
The campaign is no longer intended to steal banking data alone but the threat actors are installing other malicious payloads to spam, harvest emails and spread through the local networks.
Mitigations
- Companies and organisations affected with the botnet should isolate the infected system and take their network offline and making necessary measures to remove the payloads and identify other damage done by the malware.
- Never click on attachments from unknown emails. In the majority of the cases, malicious campaigns penetrate a system through spear-phishing emails. Likewise in Emotet botnet attacks.
- Avoid clicking links in emails. Hover the cursor over the link to verify that the URL matches with the anchor’s text and email’s stated destination.
- Updating security settings to secure system macros in Office documents and reviewing logs for any system intrusions should be implemented to prevent spear-phishing carried attacks.
- Another popular method for threat detection is to leverage SIEM signatures and perform endpoint scans for malicious payloads.
- Experts say that a way to prevent these types of attacks is to run executables and raise awareness amongst employees, about how a system can be compromised with phishing.
Always follow cyber-ethics strictly. Cyber attacks are soaring rapidly making security a myth!
