Originally a financial trojan horse, the Emotet malware has now become a lethal force. According to observations by HP’s Bromium-powered Sure Click Unit, detections of Emotet have skyrocketed by 1200% from Q2 to Q3 this year.
Over time, the notorious malware has mutated from a financial trojan to a delivery agent for ransomware. Equally, malware attacks have grown in frequency. Notably, a steep climb in the number of attacks was seen in August this year, right after the end of Q2. HP noted a “large and sustained increase in malicious spam campaigns”, of which Emotet was responsible for a major share.
Emotet proactively spreads via spam email campaigns. Characteristically, the campaigns often impersonate popular identities or insightful agendas, which make users click on the attachments of the spam emails. Once the attachment is opened, the malware spreads into the system and drops the delegated payload. This payload can be ransomware, or a Trickbot or Qakbot infection sent for primary reconnaissance.
HP senior analyst Alex Holland stated that Emotet’s presence in such phishing campaigns is expected to continue into 2021. He also described the web of hackers who started the Emotet attacks. He said, “The targeting of enterprises is consistent with the objectives of Emotet’s operators, many of whom are keen to broker access to compromised systems to ransomware actors. Within underground forums and marketplaces, access brokers often advertise characteristics about organizations they have breached — such as size and revenue — to appeal to buyers”.
Holland’s Threat Security report states that Japan was the recipient of nearly a third of the total Emotet attacks, while Australia saw a fifth of those in Q3 2020. Holland also noted that more than 40% of the malware attacks in Q3 were made via files with a “.doc” extension. The vast Emotet activity fuelled ransomware payments across the globe by 60%.