Emotet Borrows Technique of North Korean APT Group

Delaware, USA – April 12, 2019 – The authors of Emotet consistently maintain the reputation of their creation as the most dangerous malware. Researchers at Cofense have discovered a new technique in the arsenal of this trojan: now malware sends customized templates based on previously stolen emails. Email harvesting module was added in October 2018, but the adversaries have not yet used the advantage in full force. Last month, they started experiments using this technique, and to date, cybercriminals have switched to mass mailings and the researchers have managed to collect more than 1000 unique emails spreading the infection.

In 2017, the North Korean APT group hacked email accounts and used old email threads to infect users from the contact list. Emotet is now conducting a more extensive campaign, the malware calls to command and control server to receive the original address list, the crafted template and legitimate address of the victim involved in the email thread to spoof as the sender. So far, the attackers target only English and German-speaking users, and all emails contain links to malicious documents. From this, it becomes clear why the attackers began to compromise the trusted websites to store malicious documents. Security researcher JHTL spotted a malicious document on Uniden’s website for commercial security products. Emotet malware is extremely dangerous, but it leaves traces which can be detected by your security solutions. To spot malware activity on Windows systems, you can use your SIEM and Sysmon Framework rule pack: https://my.socprime.com/en/integrations/sysmon-framework-arcsight