Microsoft 365 Defender data shows that the disruption of Emotet infrastructure immediately resulted in the drop in new campaigns. Given Emotet’s reach and role in the deployment of payloads like ransomware, however, customers should ensure continued monitoring and protection.
Just before the takedown, Emotet was very active, launching massive campaigns every week after coming out of a hiatus in late December. The most recent campaigns used the usual document attachments malicious macros that ran a PowerShell script to download a DLL payload.
The use of DLL payload (instead of EXE) is one of updates Emotet introduced in December. These updates, which also included the use of 7 download URLs (up from 5) and binary format for C2 communication (replacing text), show Emotet was actively evolving before being disrupted.
Microsoft 365 Defender has durable detections for Emotet’s multi-component attack chain, including emails, attachments, URLs, payloads, relevant attacker activity. Customers can refer to the threat analytics report for technical info, impact assessment, and recommended defenses.
As we continue to monitor the impact of the takedown to the threat of Emotet, we encourage our customers to take full advantage of the comprehensive visibility and coordinated defense provided by Microsoft 365 Defender to harden networks and hunt for related malicious activity.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
We detected a recent spike in busines email compromise (BEC) attacks soliciting gift cards primarily targeting K-12 schoolteachers. Attackers impersonate colleagues or school officials to ask recipients to purchase various gift cards.
The fraudulent emails are sent from attacker-created accounts on free email service providers, such as Gmail, Mail[.]ru, Yahoo, Hotmail, Outlook, and iCloud. As in many BEC campaigns, attackers identify targets through their publicly available info on websites and social media.
Attackers use various scenarios and lures to feign legitimacy and urgency. Based on intelligence, these attackers have also used COVID-19 lures for similar gift card BEC campaigns.
As Solorigate continues to be the top security topic, it’s business as usual for some cybercrime operations. After being seen in short-lived campaigns before Christmas, Emotet is back this week in a new campaign that uses various lures, including, oddly, "Christmas Party".
Emotet is known for its penchant for using holiday-themed emails, but this week’s campaign also uses what’s proven effective for the operators: a wide range of lures in massive volumes of emails, the use of fake replies or forwarded emails, password-protected archive attachments.
The new Emotet campaign still uses documents that contain malicious macro that, when enabled, connects to seven malicious domains to download the Emotet payload.
In the past weeks, researchers have noted the increased abuse of legitimate cloud hosting services in malware campaigns. Microsoft threat intelligence shows this trend persists, w/ a number of known malware incl. BazarLoader, Zloader, Lightbot, Hancitor, etc. using the technique.
The email campaigns use a wide range of lures, incl. ones that use threats of job dismissal, exposing illegal activity, other fear tactics. The link leads to a malicious document or archive file hosted on a legitimate service. Downloading & opening the file leads to the payload.
A recent campaign uses password-protected .zip files hosted on Google Drive, with the password (curiously incorrect in this sample) in the email. While other services, incl. those from Microsoft, have been abused, the recent spike in the use of Google services is notable.
We’re tracking an active credential phishing attack targeting enterprises that uses multiple sophisticated methods for defense evasion and social engineering. The campaign uses timely lures relevant to remote work, like password updates, conferencing info, helpdesk tickets, etc.
One of the interesting techniques we observed in this campaign is the use of redirector sites with a unique subdomain for each target. The subdomain follows different formats but generally always contains the recipient’s username and org domain name.
This unique subdomain is added to a set of base domains, typically compromised sites. Notably, the phishing URLs have an extra dot after the TLD, followed by the Base64-encoded email address of the recipient.
Emotet joined the password-protected attachment bandwagon with a campaign starting Friday. The campaign slowed down over the weekend (typical of Emotet) but was back today in even larger volumes of emails in English, as well as in some European languages.
The Emotet emails carry a password-protected archive file that contains a document with malicious macro, which then downloads the Emotet payload. In contrast, last week’s Trickbot campaign used password-protected documents attached directly to emails.
If the recipient enters the password, which is in the email body, the document tricks users into enabling the malicious macro by claiming the that the file was created on “Windows 10 Mobile” (Friday’s campaign) or “Android device” (today’s campaign).
Earlier this week we started seeing a spike in the use of password-protected documents in multiple malware campaigns, including Trickbot. These documents are attached to emails that use varying social engineering lures like the typical "order", "invoice", "documents".
We also saw the increasingly less common but still used “new corona case” lure. Some of the emails also indicate more specific targeting, with attackers using the domain of compromised sender accounts as part of the email body for improved believability.
When opened, the malicious documents prompt for the password, which is in the email body. If the recipient enters the password, the document opens with instructions to enable editing and enable content, so that a malicious macro can run and download the payload.