Further Emotet Evolution: Operators Hijacking Existing Email Threads to Deliver Malware

Ever since its discovery in 2014, Emotet has undergone multiple changes. It started off as a straightforward banking Trojan but eventually evolved into a malware downloader, and further changed by eventually adding more features such as a spamming module and other mechanisms to increase its efficiency and evasiveness.

Spam has consistently remained the main delivery method for Emotet. In the first quarter of 2019, Emotet was seen being used in a campaign that involved over 14,000 spam emails which intended to deliver the malware Nymaim, a downloader for the Nozelesn ransomware, among its secondary payloads. As spam campaigns usually go, this latest on relied more on a large number of emails being sent rather than on the creation of realistic emails designed to trick their targets. However, security firm Cofense and security researcher Marcus Hutchins revealed that the threat actors behind the notorious malware are trying new techniques that make the malicious emails seem even more convincing: hijacking older email threads and reviving them with new replies.

Hijacking existing email conversations is not a new technique. For example, it was observed in a 2018 spam campaign wherein the threat actors replied to ongoing threads with messages containing the URSNIF malware. This latest Emotet campaign is similar in that the spam is being sent as part of an already existing email exchange instead of as new messages being sent to potential victims. The spoofed message comes with either a URL that, when clicked, will direct the user to a file infected with Emotet, or with a malicious attachment containing the malware. Perhaps the most significant difference between the two campaigns is that, unlike the URSNIF campaign, which sent new (and potentially out-of-context) replies to the thread, the Emotet messages reference older replies, thus making it more believable to potential victims. An email thread containing a reply from one of Emotet’s servers means that at least one participant has already been infected.  

The Emotet operators used emails they harvested from previously infected victims, specifically from November 2018 according to security researcher Joseph Roosen, indicating that the latest campaign is part of a sustained multistage, large-scale campaign.

Fighting the Emotet menace

Emotet has grown from a simple banking malware into one of the world’s most dangerous and resilient cyberthreats, often being used in multiregion campaigns involving a wide array of tools, tactics, and procedures. Given what we’ve seen and learned from the malware over the years since its discovery, it shouldn’t come as a surprise to see more developments for Emotet over the coming months.

Combating a malware like Emotet requires a concerted effort from both individuals and organizations, with special focus on defending against its main attack vector: emails.

  • Users should always take into account the context of an email and whether the message fits the conversation. In this case, even if the message is related to the conversation, the fact that it is sent some time after the last reply should be a red flag.
  • Any links or attachments in an email should be treated with caution, especially if the URL or filename seems suspicious — for example, if they contain random words and letters.

However, even applying these best practices might not be enough to completely shut down a threat as versatile as Emotet, especially for organizations that lack the manpower and expertise to deal with both its volume and complexity. In cases such as this, companies can augment their security setup by considering external security services such as Trend Micro’s managed detection and response (MDR) service, which provides on-demand access to full-time threat analysts, investigators, and incident response experts. Backed by 30 years of experience in threat research, MDR can also provide context to security alerts, logs, and data to build a clearer picture of where an attack is coming from, what it does, and how it moves within the network. MDR can support organizations by providing threat hunting, investigation, and correlation, log aggregation, alert triage, and security data analysis. An MDR service assists organizations in maintaining a good security posture by ensuring that they have the necessary people, tools, and technologies to detect, analyze, and respond to any threat.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.