SophosLabs Report: Emotet malware operates in massive scale

Sophos, a network and endpoint security company, recently published a SophosLabs Uncut report about the multi-faceted malware that has become more prevalent and dangerous over time: Emotet.

The malware operates on a mass scale. Everything it does, it does in bulk. A typical infection begins when the victim receives a specially crafted spam email. Emotet’s creators send these out by the thousands and, in some cases, the bots themselves send more. The lures employ mass-created malicious document files. The payload URLs, from where the malware eventually gets downloaded, come in large batches, with the same file hosted in multiple locations in case some of those sites get shut down (and they do).

In order to operate at this scale, Emotet’s creators seem to have refined the process by which they customize each batch of messages they transmit. The message changes slightly, though it may follow a common trope, or thematic pattern: A shipping confirmation, purchase order, or an invoice asking the recipient to pay the sender (whom the recipient will likely never have heard of).

Moreover, people who look at this kind of spam, day in and day out, can’t help but notice the profusion of spelling errors, typos, grammatically challenged copy, and other small failures of attention to detail in these messages. And yet, it doesn’t seem to matter that these messages contain oddly constructed sentences or misspellings of the name of a government agency in messages ostensibly sent by that government agency.

In many cases Emotet also tries to steal data, turning a malware infection into a data breach. Some Emotet variants skim email addresses and names from email client data and archives, likely so they can be sold as part of a wider list and used to spread more malicious spam. Others inspect web browsers, steal histories and saved usernames and passwords.

Sophos leverages on-demand curated threat intelligence from SophosLabs and machine learning to rapidly detect, prioritize, investigate and respond to incidents. With Sophos Synchronized Security, companies can better manage and defend their network thanks to the integration between the endpoint and network solutions. The latest releases of XG Firewall and Intercept X with EDR are now available on Sophos Central’s cloud management platform.

Image by Gerd Altman/Pixabay

Categories: News

Tagged as: , ,