Threat Advisory Update: Emotet Botnet Shows Signs of Life & COVID-19 Phishing Campaigns Target Healthcare
April 22, 2020
The Emotet botnet has begun to show signs of life after months of inactivity. The E2 portion has started deploying credential and email stealing modules. It is believed that this could be a preparation step for a new spam campaign. During the downtime, the operators behind Emotet have redesigned it and some of the modules it uses.
New features include improvements to its anti-malware evasion and a hashbusting implementation which makes it more dangerous compared to previous versions. Hashbusting ensures that the malware will have a different hash on each system it infects, rendering hash-based detections useless. Additional features include:
- Reworked malware code to incorporate the use of a state machine to obfuscate the control flow
- Branches of code being flattened into nested loops, which enables the code blocks to be in any order and operationally execute in order by the state machine
The Cybersecurity and Infrastructure Security Agency (CISA) recommends the following steps as best practices to defend against Emotet:
- Block email attachments commonly associated with malware (e.g.,.dll and .exe).
- Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).
- Implement Group Policy Object and firewall rules.
- Implement an antivirus program and a formalized patch management process.
- Implement filters at the email gateway, and block suspicious IP addresses at the firewall.
- Adhere to the principal of least privilege.
- Implement a Domain-Based Message Authentication, Reporting & Conformance (DMARC) validation system.
- Segment and segregate networks and functions.
In addition to CISA’s recommendations, Herjavec Group also advises:
- Follow best practices to limit opportunities for credential loss or lateral movement
- Incorporate consistent user security awareness training
- Establish processes for reporting suspicious emails
- Isolate suspicious systems until they can be remediated
- Develop playbooks and orchestration to automate phishing detection, containment, and detonation where possible
COVID-19 Phishing Emails Target Healthcare Providers
The FBI has released a flash report outlining phishing campaigns targeting healthcare providers in March 2020. The emails leveraged COVID-19 themed subject lines and content to distribute malicious attachments, such as Microsoft Word documents, 7-Zip compressed files, Microsoft Visual Basic Script, Java, and Microsoft Executables.
The exact details of the attachments are not known at this time, but it likely that they are used as an initial intrusion vector to gain system access for further exploitation, and/or exfiltration.
Indicators of Compromise (IoCs) for the COVID-19 phishing emails include:
|Email Sender||Email Subject||Attachment||Hash (scroll left)|
|email@example.com||PURCHASE ORDER PVT||Doc35 Covid Business Form.doc||babc60d43781c5f7e415e2354cf32a6a24badc96b971a3617714e5dd2d4a14de|
|firstname.lastname@example.org||Returned mail: see transcript for details||Covid-19_UPDATE_PDF.7z||de85ca5725308913782d63d00a22da480fcd4ea92d1bde7ac74558d5566c5f44|
|email@example.com||COVID-19 UPDATE !!||Covid-19_UPDATE_PDF.7z||de85ca5725308913782d63d00a22da480fcd4ea92d1bde7ac74558d5566c5f44|
|firstname.lastname@example.org||Information about COVID-19 in the United States||covid50_form.vbs||d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c|
|email@example.com||Business Contingency alert -COVID 19||COVID-19 Circular.jar||eacc253fd7eb477afe56b8e76de0f873259d124ca63a9af1e444bfd575d9aaae|
|firstname.lastname@example.org||Todays Update on COVID-19||Todays Update on COVID-19.exe||7fd2e950fab147ba39fff59bf4dcac9ad63bbcdfbd9aadc9f3bb6511e313fc9c|
|email@example.com||World Health Organization/ Let‚Äôs fight Corona Virus together||COVID-19 WHO RECOMENDED V.exe||d150feb631d6e9050b7fb76db57504e6dcc2715fe03e45db095f50d56a9495a5|
Herjavec Group's Threat Management & Incident Response team is available for further support and consultation. If you need Incident Response support or Security Expertise, please connect with us.
Herjavec Group continues to track COVID-19 related cyberattacks. We have a complete resource center tracking COVID-19 related threats, malware types, as well as a summary of IOCs and domains specific to COVID-19. Review it here.
For Managed Services customers, our Managed Services team will engage with the appropriate technical contacts in your respective organizations directly to provide alerts, escalations, actions and or reports based our service agreement with you. If you have questions or concerns, please engage your Herjavec Group account representative directly or contact Herjavec Group.