Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

11/7/2019
05:50 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

TA542 Brings Back Emotet with Late September Spike

Overall volumes of banking Trojans and RATs increased during the third quarter, when Emotet was suspiciously absent until mid-September.

Emotet re-emerged toward the end of September, ending a months-long hiatus that gave banking Trojans and remote access Trojans (RATs) room to increase in the third quarter.

As a result of Emotet's absence for the first 10 weeks of the third quarter, global combined malicious URL and attachment message volume decreased by nearly 40%, researchers explain in the "Proofpoint Q3 2019 Threat Report." Despite this decline, overall volumes of banking Trojans and RATs increased by 18% and 55%, respectively, compared with the second quarter. Banking Trojans made up 46% of all malware in the third quarter, followed by RATs at 15%.

Emotet's absence was notable because of its sheer size. Between mid-2017 and May 1, 2019, TA542 spread the Emotet botnet in hundreds of increasingly large campaigns that eventually spread through North and South America, Western Europe, Asia, and the Middle East, targeting organizations across industries with tens of millions of messages. Over time, Emotet evolved from banking Trojan to a modular botnet designed to spread different types of digital threats.

Emotet disappeared from the threat landscape at the end of May, shifting overall malware trends. To some extent, researchers say, banking Trojans and RATs in the third quarter were filling the gap Emotet left. Threat groups that Proofpoint tracked as TA556 and TA544 drove banking Trojan volumes with large Ursnif campaigns, which made up 20% of all banking Trojans. Other attackers distributed Trickbot (37%), and a group tracked as TA516 spread IcedID (26%).

More attackers regularly distributed RATs in Emotet's absence – namely, a group tracked as TA505. "We noticed TA505 is a group that moves the needle," says Chris Dawson, threat intelligence lead at Proofpoint. When they choose to distribute a threat, they do it in volumes. In the third quarter, it led the charge with FlawedAmmyy (45%) and FlawedGrace (30%).

Emotet's reappearance in September brought another shift: When it emerged for the last two weeks of the month, it made up 11% of all malicious payloads for the entire third quarter. "Their absence impacted overall volume significantly," says Dawson of Emotet's temporary exit from cybercrime. "Now they're back with a vengeance, doing what they do."

There remains some speculation in the intelligence community as to where Emotet went and what its operators were doing, he explains. When major actors take a short break, it's usually because they lost control of the botnet or need to do some retooling behind the scenes. But Emotet's hiatus was long – a little over three months – and it's unclear why its actors went dark.

When TA542 re-emerged with new Emotet campaigns on September 16, researchers noticed a few subtle shifts in how it operated. The group generally followed the same model researchers had historically observed: geographically targeted emails with local-language lures and brands. Messages often had financial themes and contained malicious attachments or links to malicious documents that, when targets enabled macros, installed Emotet onto their machines.

But in addition to its longstanding targets, which included the US, the UK, Canada, Germany, and Australia, TA542 expanded its target countries to include Italy, Spain, Japan, Hong Kong, and Singapore. It also used a "Snowden" lure in its email campaigns, going back to its older 2018 habit of using seasonal and topical email lures. Before it dropped off the map, Dawson says, it was using generic business-based lures in its attack messages.

"It says something more about how we see social engineering get better and better," he explains, noting how even high-volume actors are getting smarter about geofencing and localization of languages when they craft malicious messages.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "What a Security Products Blacklist Means for End Users and Integrators."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...