Regarding response to "Emotet" malware that has resumed activity
Release date: August 7, 2020
Last updated: January 27, 2021
A malware called Emotet has resumed its distribution activity since mid-July 2020. Many of you may already know about it, as information has been sent from multiple media and institutions.
In response to this situation, we would like to summarize the detection status of our products and introduce some examples that we have observed.
Emotet attack flow
We have also confirmed many attacks using Emotet, but so far, compared to the previous attack campaign that caused a lot of damage in Japan, although there are improvements in the functionality of the malware, the method itself has changed significantly. It doesn't seem like there is.
*We will update this page if any characteristic changes are confirmed in the latest attacks.
Attacks up to malware “Emotet” infection are performed in the following flow.
- An email with an attached file is delivered *1
- Open Office documents such as Word files attached to emails
- Allow Macro Enabled
- WMI *2 is executed via a macro, and PowerShell is started
- PowerShell downloads and executes Emotet malware
- Infected with Emotet malware
At the timing of *1, there are cases where an email with a URL link is delivered instead of an attached file. In this case, clicking on the URL in the email text will download an Office document such as a Word file.
*2 WMI = Official Windows OS management tool called Windows Management Infrastructure
Detection status in our products
The following is based on Emotet that we obtained and cases confirmed in the customer's environment, and is described in light of each step (1 to 6) of the above-mentioned Emotet attack flow.
Please note that results may change as new attack techniques emerge.
Manufacturer | product name | Correspondence situation |
Broadcom | Symantec Endpoint Protection14 |
|
CrowdStrike | Falcon |
|
FireEye | FireEye EX/ETP/NX |
EX/ETP:
NX:
|
Menlo Security | Menlo Security Secure Office 365/Secure G Suite (Email isolation) |
|
McAfee | VirusScan Enterprise Endpoint Security MVISION Endpoint |
|
Team T5 | TeamT5 ThreatSonar (used by Mpression Cyber Security Service™ Threat Hunting & Incident Response Service) |
|
About attack emails
From here, I would like to introduce some of the email samples that we were able to observe. In the case of the reply type, the attack will be sent as a reply to the email that we actually sent. In other cases, I think that there are many subject lines related to "invoices" depending on the time of year.
Many of the attacks we received passed SPF (Sender Policy Framework), which is one of the anti-spoofing measures. Also, in order to deliver mail without delay, only the Display Name was disguised, and even if the disguised domain source set DKIM (DomainKeys Identified Mail), it did not fail and passed (for a while) In some cases, domains that do not use DKIM were signed with DKIM, and in this case DKIM failed). This display name spoofing appeared to be similar in the end of 2019 campaign.
In general, technologies such as SPF/DKIM are considered to be effective as countermeasures against spoofing, but there are cases where they are avoided in this way, so overconfidence is considered prohibited.
attachment pattern
URL pattern
Pattern using email address as display name
Examples observed since September 2020
Cases where the Japanese text is natural
In the case below, the sender part is disguised using the same method as "Pattern that uses an email address as the display name". In addition, it was devised to match the display name of the subject and the recipient.
The body of the email itself also seems to be less unnatural than the previous emails.
In addition to the above, we also found cases that pretended to be support satisfaction questionnaire surveys for specific products that are widely distributed in Japan.
It seems that the unnaturalness of Japanese is becoming more and more difficult to discern.
Do not open suspicious files, and even if they are opened, macros will not be enabled.
A case where a malicious file is delivered in a password-protected ZIP
Some emails use ZIP file password protection to deliver malicious files. In the case of this attack, it may not be detected depending on the password notation in the text and the security email gateway you are using. Please consider dealing with it in combination with monitoring at the endpoint.
Cases observed since January 2021
From mid-January, activities to distribute Emotet have resumed. Below are some samples that we have confirmed. Also, I will omit the details, but the attack process has changed from the above. The main change is that Emotet, which was distributed as an .exe file, is now distributed as a .dll file.
Emails that take advantage of the declaration of a state of emergency
With the declaration of a state of emergency, emails that appear to have actually been sent by companies have been misused. It is not possible to check the incongruity in the email text itself. Therefore, it is important to check the sender's email address again. When checking, please pay attention to the "< >" in angle brackets, not the display name. The display name may pretend to be someone you do business with.
Image password notification
There have been methods of delivering malicious files using the password protection function of ZIP files for a long time, but a method of notating the password as an image as shown below has been confirmed as a recent Emotet delivery method. . This attack may not be detected by your security email gateway. Please consider dealing with it in combination with monitoring at the endpoint.