View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 23, 2020

The Emotet Threat Group Has Military Emails, and Phishing Campaigns are Spiking

"Sometime in the past few months, Emotet was able to successfully compromise one or more persons working for or with the US government"

By CBR Staff Writer

Threat group TA542, widely believed to be behind the modular malware Emotet, is back with a vengeance, delivering over 750,000 malware-laced phishing emails via botnets in a single day this month – as the US’s Cybersecurity and Infrastructure Security Agency (CISA) warned security teams to be alert to the rising threat.

Proofpoint, which tracked the figure (not the highest recorded: it’s previously tracked over one million phishing emails distributing the Emotet malware in a day) notes that the threat group has significantly scaled up its campaigns not just in English, but in Chinese, German, Italian, Japanese and Spanish.

(As Cisco’s Talos noted in a blog on January 16, “Emotet has a penchant for stealing a victim’s email, then impersonating that victim… The malicious emails are delivered through a network of stolen outbound SMTP accounts. This relatively simple email-man-in-the-middle social engineering approach has made Emotet one of the most prolific vehicles for delivering malware that we have seen in modern times.”

Cofense Labs meanwhile says it is tracking a “meeting” inspired phishing theme.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

California-based Proofpoint said: “TA542 has used widespread email campaigns on a huge, international scale that have affected North America, Central America, South America, Europe, Asia, and Australia… TA542 has massive sending infrastructure: nobody generates volumes like they do these days. Campaigns that TA542 unleash have big volumes and are widespread across verticals, languages and people. Even if they take 150 days off in a year, like they did in 2019, they can do lots of damage.”

CISA meanwhile recommends some cyber hygiene essentials, urging admins to:

  • Block email attachments commonly associated with malware (e.g.,.dll and .exe).
  • Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).
  • Implement Group Policy Object and firewall rules.
  • Implement an antivirus program and a formalized patch management process.
  • Implement filters at the email gateway, and block suspicious IP addresses at the firewall.
  • Adhere to the principle of least privilege.
  • Implement a Domain-Based Message Authentication, Reporting & Conformance (DMARC) validation system.
  • Segment and segregate networks and functions.
  • Limit unnecessary lateral communications.

Emotet has also compromised military emails.

Talos notes: “Sometime in the past few months, Emotet was able to successfully compromise one or more persons working for or with the US government. As a result of this, Talos saw a rapid increase in the number of infectious Emotet messages directed at the .mil and .gov TLDs in December 2019. Now that Emotet is back from their Orthodox Christmas vacation, that trend has continued into January 2020.”

During Q4 2019 alone, Cofense observed [pdf] the use of over 290,000 unique compromised email addresses to send Emotet malspam, including the use of 140,000+ unique and new compromised email accounts. It tracked more than 33,000 unique attachment hashes and 5,800 unique payload URLs were spotted during the quarter — with malicious emails delivered to approximately 16 million users worldwide.

See also: The 5 Most Commonly Used Hacking Tools – and How to Defend Against Them

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.