Japan, France, New Zealand Warn of Sudden Uptick in Emotet Trojan Attacks
Ravie Lakshmanan - September 08, 2020
Ravie Lakshmanan - September 08, 2020
[SHOWTOGROUPS=4,20,22]
Для просмотра ссылки Войдиили Зарегистрируйся
Cybersecurity agencies across Asia and Europe have issued multiple security alerts regarding the resurgence of email-based Emotet malware attacks targeting businesses in France, Japan, and New Zealand.
"The emails contain malicious attachments or links that the receiver is encouraged to download," New Zealand's Для просмотра ссылки Войдиили Зарегистрируйся (CERT) said. "These links and attachments may look like genuine invoices, financial documents, shipping information, resumes, scanned documents, or information on COVID-19, but they are fake."
Echoing similar concerns, Japan's CERT (JPCERT/CC) cautioned it found a Для просмотра ссылки Войдиили Зарегистрируйся in the number of domestic domain (.jp) email addresses that have been infected with the malware and can be misused to send spam emails in an attempt to spread the infection further.
First identified in Для просмотра ссылки Войдиили Зарегистрируйся and distributed by a threat group tracked as TA542 (or Mummy Spider), Для просмотра ссылки Войди или Зарегистрируйся has since evolved from its original roots as a simple banking Trojan to a modular "Swiss Army knife" that can serve as a downloader, information stealer, and spambot depending on how it's deployed.
In recent months, the malware strain has been linked to several botnet-driven malspam campaigns and even capable of delivering more dangerous payloads such as Ryuk ransomware by renting its botnet of compromised machines to other malware groups.
The new uptick in Emotet activity coincides with their Для просмотра ссылки Войдиили Зарегистрируйся after a prolonged development period that lasted since February 7 earlier this year, with the malware sending as many as Для просмотра ссылки Войди или Зарегистрируйся on all weekdays targeting European organizations.
Для просмотра ссылки Войдиили Зарегистрируйся
"Around February 7, Emotet entered a period of time where they stopped spamming and began working on developing their malware," Binary Defence outlined in a Для просмотра ссылки Войдиили Зарегистрируйся detailing an exploit (called EmoCrash) to prevent the malware from affecting new systems.
Typically spread via large-scale phishing email campaigns involving malicious Microsoft Word or password-protected ZIP file attachments, the recent wave of attacks have taken advantage of a technique called email thread hijacking, using it to infect devices with the Для просмотра ссылки Войдиили Зарегистрируйся and Для просмотра ссылки Войди или Зарегистрируйся banking Trojans.
It works by exfiltrating email conversations and attachments from compromised mailboxes to craft convincing phishing lures that take the form of a malicious response to existing, ongoing email threads between the infected victim and other participants in order to make the emails seem more credible.
"TA542 also constructs phishing emails on the basis of information collected during the compromise of mailboxes, which it sends to exfiltrated contact lists, or more simply spoofs the image of entities, prior victims," the National Cybersecurity Agency of France (Для просмотра ссылки Войдиили Зарегистрируйся) said.
Для просмотра ссылки Войдиили Зарегистрируйся
In addition to using JPCERT/CC's Для просмотра ссылки Войдиили Зарегистрируйся to detect the Emotet trojan's presence on a Windows machine, it's recommended that network logs are routinely scanned for any connection to known Emotet Для просмотра ссылки Войди или Зарегистрируйся (C2) infrastructure.
"Since returning from an extended vacation, TA542 email campaigns are once again the most prevalent by message volume by a large margin, with only a few other actors coming close," Proofpoint said in an Для просмотра ссылки Войдиили Зарегистрируйся of Emotet last month.
"They have introduced code changes to their malware, such as updates to the email sending module, and picked up a new affiliate payload to distribute (Qbot), [and] expanded targeting of countries using native language lures."
[/SHOWTOGROUPS]
Для просмотра ссылки Войди
Cybersecurity agencies across Asia and Europe have issued multiple security alerts regarding the resurgence of email-based Emotet malware attacks targeting businesses in France, Japan, and New Zealand.
"The emails contain malicious attachments or links that the receiver is encouraged to download," New Zealand's Для просмотра ссылки Войди
Echoing similar concerns, Japan's CERT (JPCERT/CC) cautioned it found a Для просмотра ссылки Войди
First identified in Для просмотра ссылки Войди
In recent months, the malware strain has been linked to several botnet-driven malspam campaigns and even capable of delivering more dangerous payloads such as Ryuk ransomware by renting its botnet of compromised machines to other malware groups.
The new uptick in Emotet activity coincides with their Для просмотра ссылки Войди
Для просмотра ссылки Войди
"Around February 7, Emotet entered a period of time where they stopped spamming and began working on developing their malware," Binary Defence outlined in a Для просмотра ссылки Войди
Typically spread via large-scale phishing email campaigns involving malicious Microsoft Word or password-protected ZIP file attachments, the recent wave of attacks have taken advantage of a technique called email thread hijacking, using it to infect devices with the Для просмотра ссылки Войди
It works by exfiltrating email conversations and attachments from compromised mailboxes to craft convincing phishing lures that take the form of a malicious response to existing, ongoing email threads between the infected victim and other participants in order to make the emails seem more credible.
"TA542 also constructs phishing emails on the basis of information collected during the compromise of mailboxes, which it sends to exfiltrated contact lists, or more simply spoofs the image of entities, prior victims," the National Cybersecurity Agency of France (Для просмотра ссылки Войди
Для просмотра ссылки Войди
In addition to using JPCERT/CC's Для просмотра ссылки Войди
"Since returning from an extended vacation, TA542 email campaigns are once again the most prevalent by message volume by a large margin, with only a few other actors coming close," Proofpoint said in an Для просмотра ссылки Войди
"They have introduced code changes to their malware, such as updates to the email sending module, and picked up a new affiliate payload to distribute (Qbot), [and] expanded targeting of countries using native language lures."
[/SHOWTOGROUPS]
