CSA Blog

 View Only

New Threat Intelligence Report Reveals the Rise of Emotet

  • 1.  New Threat Intelligence Report Reveals the Rise of Emotet

    Posted Mar 17, 2020 03:50:00 PM

    By Renatta Siewert, Senior Security Writer at Mimecast


    The Mimecast Threat Center launched the Threat Intelligence Report: RSA Conference Edition on February 25th, finding a 145% increase in attack campaigns across the globe from October to December. Researchers believe the increase can be attributed to Emotet's renewed activity after four months of relative dormancy, coupled with cybercriminals' higher rates of activity due to the holiday shopping season. From October to December 2019, the Mimecast Threat Center analyzed more than 202 billion emails and rejected 92 billion.

    The Rise of Emotet

    The most striking observation of the quarter's research has been the widespread deployment of the Emotet "dropper" malware on a scale not seen before, across all regions. This subscription-based Malware-as-a-Service (MaaS) model increases the option of simple attack methods to a wider audience, simultaneously keeping older, well-known malware in circulation.

    Business Email Compromise Increased in 2019

    Social engineering - most commonly done through impersonation tactics – continues to be an effective tactic for threat actors. It has shown a sustained increase throughout 2019.

    Data shows impersonation attacks made up 26% of total detections from July to September, and the volume of these attacks grew by 18% in that time period. From October to December, however, threat actors have refocused on malware delivery via Emotet during this quarter, which may have led to the drop in voice phishing. Overall, the Threat Center believes business email compromise/impersonation will continue to grow in 2020.

    What Else Did the Threat Center Find?

    1) File compression continues to be an attack format of choice, but Emo­tet activity via DOC and DOCX formats has substantially increased. Compressed files allow for a more complex, potentially multi-malware payload, but also serve as a very basic means to hide the true file name of any items held within the container. The ZIP format of file compression dominated detections – approximately 3 million throughout the quarter. Any available form of file compression format will remain the most attrac­tive to threat actors.

    2) It's highly likely that threat actors' concentration of effort into Emotet con­stitutes a significant refocusing of their efforts onto the attempted delivery of ransomware. Emotet is an effective dropper of other malware as it is modular in nature and can deliver a variety of payloads. A number of significant campaigns utilizing Emotet have included ransomware detections, and it is highly likely that threat actors are focusing on the delivery of ransomware. Official advisories from the US, UK, and Cana­dian cyber centers since June 2019 have also stressed the particular threat Emotet poses in the targeted delivery of ransomware.

    3) Specific sectors are repeatedly targeted, but growth in campaign activity due to the holiday season. The top sectors for attack globally are Transportation, Storage and Delivery, Financial: Banking, and the Professional Services: Legal sectors. These three sectors have remained subject to high levels of attack throughout 2019, although the Transporta­tion, Storage and Delivery as well as the Retail and Wholesale sectors were disproportionately attacked this quarter, accounting for almost a third of the most significant global campaign activity. However, given the holiday gift-giving season, much of this increase is to be expected.

    4) Although the number of impersonation attacks is slightly fewer, they remain a key attack vector. Impersonation attacks now include a range of voice messaging and a generally less coercive form of communication, which presents as a more nuanced and persuasive threat. It is highly likely impersonation reduced as a result of threat actors' focus towards the delivery of malware to exploit the monetary successes of ransomware attacks in 2019.

    5) The overwhelming majority of attacks are again less sophisticated, high volume forms of attack, although more complex attacks are present and can take place over a period of several days. This is almost certainly a reflection of the increasing ease of access to online tools and kits for any individual to launch a cyberattack, particularly the return of Emotet as a paid-for service. The trend also reflects the challenges of human error - even the simplest attacks can be successful. As attacks progress, they alter exploits and include more potent forms of malware and ransomware.

    Read the full report to learn more about how these attack campaigns impacted your region, or your industry.