Wednesday, April 14, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

Emotet hijacks email conversation threads to insert links to malware

April 11, 2019
in Internet Security
Emotet hijacks email conversation threads to insert links to malware
586
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter
http://www.zdnet.com/

The Emotet malware gang is now using a tactic that has been previously seen used by nation-state hackers.

The group has been spotted this week reviving old email conversation threads and injecting links to malicious files.

You might also like

‘FLoC off!’ Vivaldi declares as it says no to Google’s tracking system

Microsoft April patch download covers 114 CVEs including new Exchange Server bugs

Cybersecurity: Victims are spotting cyber attacks much more quickly – but there’s a catch

Users involved in the previous email exchanges would receive an email spoofed to appear from one of their previous correspondents, but actually coming from Emotet servers.

The email conversation thread would be left intact, but the Emotet gang would insert an URL at the top of the email that would link to an Emotet-infected file, or attach a malicious document to the existing email thread.

Tactic stolen from North Korean hackers

The tactic isn’t new. Back in October 2017, Palo Alto Networks reported that a North Korean hacking group was doing the same, inserting malware into old email threads.

The difference is that the North Korean group was hacking into email accouns, one at a time, to hijack old email threads.

The Emotet gang has taken a different approach. They are leveraging email threads they began mass-harvesting from previously infected victms in October last year.

The group started experimented with hijacking stolen email threads as a spam distribution technique last month, according to a Minerva Labs report, but they began using it at scale this week, according to security firm Cofense, and security researcher Marcus “MalwareTech” Hutchins.

Last October Emotet began stealing the content of victim’s emails. This week it appears Emotet is using the stolen emails to fake replies to existing email chains with malware on a massive scale.

— MalwareTech (@MalwareTechBlog) April 10, 2019

Current Emotet spam appears to be leveraging email conversations that have been stolen prior to November 2018, Cryptolaemus Group security researcher Joseph Roosen told ZDNet in an interview. Cofense believes that more recently harvested email threads will be used in the future.

Enlgish and German email threads are being hijacked

This new Emotet email thread spam isn’t limited to Enlgish emails, but both English and German email threads are being revived, Roosen told us.

“The injected reply is usually prefaced with ‘Attached is your confidential docs’,” he said. “These templates are pretty limited in run and not very numerous compared to the ‘normal’ [Emotet] malspam,” Roosen told ZDNet.

Nevertheless, the Emotet team appears to have put its full attention behind this spam campaign. Normally, the Emotet botnet is split in two clusters, named E1 and E2. Roosen told ZDNet that both clusters are now busy spewing out hijacked email threads.

emotet-dual-infrastructure.png

Image: Trend Micro
http://www.zdnet.com/

If over the course of the following days you receive a reply from an old email thread, this means you’re most likely being targeted with Emotet malware.

Furthermore, this also means that at least one person in that email thread has been infected with Emotet in the past.

If it’s a business-related thread, this means that one of the employees or companies in that thread has already been compromised by Emotet in the past six months, and might have had sensitive data stolen from their networks already.

Hence, any system administrator seeing one of these emails arriving on their company’s email server should start scanning for Emotet artifacts on his internal network right away.

Emotet –today’s most dangerous malware

Currently, Emotet is considered one of the most dangerous malware strains. The malware once used to be a banking trojan, but has transformed into a versatile malware “downloader” over the course of the past two years.

Emotet is now a giant botnet of infected computers which its operators are renting to other criminal gangs. For example, reports from CrowdStrike, FireEye, Kryptos Logic, McAfee, IBM, and Cybereason, all say that Emotet has been used as a springboard for the Ryuk, LockerGoga, and BitPaymer ransomware strains.

Microsoft has issued a formal warning about Emotet to businesses around the world in November 2017, when Emotet had finished trasnforming from a banking trojan into a malware downloader.

Since then, Emotet has grown to a massive size. A Spamhaus report put the number of Emotet infections for the months of February and March 2019 at 47,000.

Jason Meurer, threat intelligence analyst at Cofense, told ZDNet that “within the past year alone we’ve seen what appears to be at a minimum 700k infections.”

Further, these infections numbers are only scratching the surface, as Emotet bots also have the ability to move laterally inside a compromised network and make even more victims, some of which are harder or near impossible to track accurately, as Hutchins said last week on Twitter.

Yes, 47K infections were observed since past two months alone , with Emotets lateral movement capabilities and use of rotational c2’s, the actual number of infections would be very high

— Raashid Bhat (@raashidbhatt) April 3, 2019

In addition, as a testament to Emotet’s prevalence on today’s malware landscape, the malware is also ranked first in the list of top 10 malware strains analyzed on the Any.Run virtualization service, and ranked second in Check Point’s top 10 malware families ranking for March 2019 (the ranking is somewhat controversial and inaccurate, but Emotet’s rank still gives a good impression of the malware’s ubiquity).

Emotet’s new tactic is quite efficient

Leveraging email conversation threads for malware distribution isn’t new. For example, the URSnif banking trojan has used a similar tactic in previous years –in March and October 2018.

The differenec is that the URSnif gang fabricated the email threads from scratch. It didn’t use authentic conversations that recipients are most likely to remember, and inherently trust.

“This is a new tactic for Emotet but it was expected ever since the email stealer module was seen in November of 2018 by KryptosLogic,” Roosen told ZDNet.

“I think this is a very dangerous situation for various reasons. Despite the exfiltrated email conversations being dated, the use of previously sent material instills a comfort level for most users because of the familiarity.

“As [we] know, most malspam is sent as a start of a new conversation/thread. It is unique to have an actual reply from a ‘known’ source with your previous emails referenced. Because of that familiarity, recipients may let the guard down and perform actions they may not normally do with a new email,” Roosen told us.

“The other reason why this is dangerous is because of the data contained within the threads of the emails and how it may be a compliance violation and security nightmare. Think GDPR/HIPPA [violations],” Roosen said, pointing ZDNet to an incident where an Emotet infection turned into a data breach notification.

The several security researchers with whom ZDNet spoke today are now keeping a close eye on Emotet to see if upcoming campaigns will start sending these email threads to persons not included in the original email loops, potentially exposing private conversations to outsiders, competing companies, or other interested parties –which would likely act on their innate curiosity and see what their competition or bussiness partners have been up to, and get infected with Emotet along the way. Just remember: Curiosity killed the cat!

Related malware and cybercrime coverage:


Credit: Source link

Previous Post

What Are The Most Promising Areas Of Machine Learning Research Right Now?

Next Post

Demand Generation - Lead-Scoring Accuracy Checklist: How Do You Rate? : MarketingProfs Article

Related Posts

‘FLoC off!’ Vivaldi declares as it says no to Google’s tracking system
Internet Security

‘FLoC off!’ Vivaldi declares as it says no to Google’s tracking system

April 14, 2021
Microsoft April patch download covers 114 CVEs including new Exchange Server bugs
Internet Security

Microsoft April patch download covers 114 CVEs including new Exchange Server bugs

April 14, 2021
Cybersecurity: Victims are spotting cyber attacks much more quickly – but there’s a catch
Internet Security

Cybersecurity: Victims are spotting cyber attacks much more quickly – but there’s a catch

April 14, 2021
Samsung’s new Galaxy Quantum 2 uses quantum cryptography to secure apps
Internet Security

Samsung’s new Galaxy Quantum 2 uses quantum cryptography to secure apps

April 14, 2021
Brave browser disables Google’s FLoC tracking system
Internet Security

Brave browser disables Google’s FLoC tracking system

April 13, 2021
Next Post
6 Lead Generation Tactics to Use in Social Media Channels

Demand Generation - Lead-Scoring Accuracy Checklist: How Do You Rate? : MarketingProfs Article

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Seminar on Machine Learning Techniques in Banking – India Education| Global Education |Education News
Machine Learning

Seminar on Machine Learning Techniques in Banking – India Education| Global Education |Education News

April 14, 2021
Four Tips for Better Videos Ads on LinkedIn [Infographic]
Marketing Technology

Four Tips for Better Videos Ads on LinkedIn [Infographic]

April 14, 2021
‘FLoC off!’ Vivaldi declares as it says no to Google’s tracking system
Internet Security

‘FLoC off!’ Vivaldi declares as it says no to Google’s tracking system

April 14, 2021
Applying artificial intelligence to science education — ScienceDaily
Machine Learning

Machine learning can help slow down future pandemics — ScienceDaily

April 14, 2021
B2B Marketers’ vs. Visitors’ Top Website Features
Marketing Technology

B2B Marketers’ vs. Visitors’ Top Website Features

April 14, 2021
Microsoft April patch download covers 114 CVEs including new Exchange Server bugs
Internet Security

Microsoft April patch download covers 114 CVEs including new Exchange Server bugs

April 14, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Seminar on Machine Learning Techniques in Banking – India Education| Global Education |Education News April 14, 2021
  • Four Tips for Better Videos Ads on LinkedIn [Infographic] April 14, 2021
  • ‘FLoC off!’ Vivaldi declares as it says no to Google’s tracking system April 14, 2021
  • Machine learning can help slow down future pandemics — ScienceDaily April 14, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates