New data from HP Inc. shows cyberattacks involving the Emotet Trojan increased by more than 1,200% between Q2, 2020 and Q3, 2020.
The data for the company’s October 2020 Threat Insights Report come from HP Sure Click Enterprise, a security solution used on enterprise desktops and laptops that captures malware and allows it to run in a secure container. Data were collected from 1 July to 30 September 2020, with the report proving insights into malware trends to help network defenders combat emerging threats and better defend their networks.
The Emotet Trojan is distributed via spam email with the threat actors often taking breaks during which there is little to no Emotet activity. The Emotet botnet has been largely inactive since September 2019, but sprung back to life in July 2020, initially with a relatively small campaign by Emotet standards, with activity growing considerably throughout the third quarter.
A particularly large campaign was conducted in August 2020, followed by extensive campaigns throughout September. Based on the patterns of Emotet activity, HP researchers believe activity will continue until early 2021, with weekly spam runs generated distributing the Trojan.
Many of the Emotet attacks in Q3 targeted enterprise users in Japan and Australia, with the countries accounting for 32% and 20% of Emotet emails, based on an analysis of Emotet recipients by top-level domain. The campaigns also targeted organizations rather than personal users. More than a quarter of the emails in Q3 were sent to .org domains.
Campaigns distributing the Emotet Trojan use lures likely to catch out employees such as fake shipping notices, purchase orders, invoices, and other business-themed lures, with the Emotet Trojan downloaded via malicious Word documents.
Emotet is known for hijacking message threads to increase the probability of the Trojan being installed. A compromised user’s email account is monitored, and a reply is sent to a legitimate email that has been received from a contact, or a response is sent to a previous message thread with a malicious attachment or link. The recipient of such a message can easily be fooled into installing the Trojan as the message appears to be a genuine response. This tactic has proven to be very successful for the Emotet gang.
Emotet started life as a banking Trojan, but it is also used as a malware downloader, with the gang working with other criminal groups to distribute their malicious payloads. The increase in Emotet infections is driving an increase in ransomware attacks. The threat actors behind the Emotet Trojan have teamed up with the operators of the TrickBot Trojan, a banking Trojan which is also a malware loader. TrickBot has been used to deliver Ryuk ransomware, and Ryuk ransomware attacks have increased considerably in recent weeks, in line with the increase in Emotet infections. The healthcare industry in the United States is currently being targeted by the Ryuk gang.
HP notes that ransomware attacks have become much more targeted. Rather than using spray and pray tactics to infect as many victims as possible, more targeted attacks are conducted on organizations that are considered most likely to pay. Many access brokers – who have already compromised organizations – advertise access to ransomware gangs or sign up as affiliates with ransomware-as-service operations and use their access to deliver the ransomware.
Overall, Trojans were the top malware threat in Q3, 2020, accounting for 43% of all malware intercepted by HP Sure Click. Potentially unwanted applications were second with 21%, followed by downloaders (6%), and hacktools (5%).