Threat group TA542, widely believed to be behind the modular malware Emotet, is back with a vengeance, delivering over 750,000 malware-laced phishing emails via botnets in a single day this month – as the US’s Cybersecurity and Infrastructure Security Agency (CISA) warned security teams to be alert to the rising threat.
Proofpoint, which tracked the figure (not the highest recorded: it’s previously tracked over one million phishing emails distributing the Emotet malware in a day) notes that the threat group has significantly scaled up its campaigns not just in English, but in Chinese, German, Italian, Japanese and Spanish.
(As Cisco’s Talos noted in a blog on January 16, “Emotet has a penchant for stealing a victim’s email, then impersonating that victim… The malicious emails are delivered through a network of stolen outbound SMTP accounts. This relatively simple email-man-in-the-middle social engineering approach has made Emotet one of the most prolific vehicles for delivering malware that we have seen in modern times.”
Cofense Labs meanwhile says it is tracking a “meeting” inspired phishing theme.
#Emotet Appears to be testing out a new "meeting" inspired theme today. Subjects include:
Next meeting on friday
Space for a brief meeting
Everyone must attend tomorrow's meeting
The meeting will be held on Friday.
regular meeting on friday
Next regular meeting on friday
— Cofense Labs (@CofenseLabs) January 21, 2020
California-based Proofpoint said: “TA542 has used widespread email campaigns on a huge, international scale that have affected North America, Central America, South America, Europe, Asia, and Australia… TA542 has massive sending infrastructure: nobody generates volumes like they do these days. Campaigns that TA542 unleash have big volumes and are widespread across verticals, languages and people. Even if they take 150 days off in a year, like they did in 2019, they can do lots of damage.”
CISA meanwhile recommends some cyber hygiene essentials, urging admins to:
- Block email attachments commonly associated with malware (e.g.,.dll and .exe).
- Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).
- Implement Group Policy Object and firewall rules.
- Implement an antivirus program and a formalized patch management process.
- Implement filters at the email gateway, and block suspicious IP addresses at the firewall.
- Adhere to the principle of least privilege.
- Implement a Domain-Based Message Authentication, Reporting & Conformance (DMARC) validation system.
- Segment and segregate networks and functions.
- Limit unnecessary lateral communications.
Emotet has also compromised military emails.
Emotet are literally sitting inside US .mil and .gov networks (hi the DOJ) exfiling their data, it's hilarious. Good job we're panicking about some NSA crypto thing which this has never used. They're been active for almost half a decade. pic.twitter.com/4M8K6wCPkC
— Kevin Beaumont (@GossiTheDog) January 17, 2020
Talos notes: “Sometime in the past few months, Emotet was able to successfully compromise one or more persons working for or with the US government. As a result of this, Talos saw a rapid increase in the number of infectious Emotet messages directed at the .mil and .gov TLDs in December 2019. Now that Emotet is back from their Orthodox Christmas vacation, that trend has continued into January 2020.”
During Q4 2019 alone, Cofense observed [pdf] the use of over 290,000 unique compromised email addresses to send Emotet malspam, including the use of 140,000+ unique and new compromised email accounts. It tracked more than 33,000 unique attachment hashes and 5,800 unique payload URLs were spotted during the quarter — with malicious emails delivered to approximately 16 million users worldwide.