Stolen emails reflect Emotet's organic growth

Stolen emails reflect Emotet's organic growth
By Jaeson Schultz

Introduction


Emotet has a penchant for stealing a victim's email, then impersonating that victim and sending copies of itself in reply. The malicious emails are delivered through a network of stolen outbound SMTP accounts. This relatively simple email-man-in-the-middle social engineering approach has made Emotet one of the most prolific vehicles for delivering malware that we have seen in modern times.

Cisco Talos continues to monitor Emotet, constantly detonating Emotet samples inside of the ThreatGrid malware sandbox and elsewhere. We witness in real-time as email that purports to be from Emotet's victims begins to emanate through Emotet's network of outbound mail servers. Vigilant monitoring of both stolen SMTP credentials and outbound email allows Talos to extract meta-information regarding Emotet's latest victims and provides insight into networks where Emotet is actively spreading.

One of the most cunning aspects of Emotet's propagation is the way they use social engineering of personal/professional relationships to facilitate further malware infection. When receiving a message from a trusted friend or colleague, it is quite natural for recipients to think, "I can safely open this email attachment because it is in reply to a message I sent, or from someone I know." Any person or organization who has sent an email to an Emotet victim could be targeted by Emotet's propagation messages. The more interaction with the victim you have, the more likely you are to receive malicious email from Emotet. Like a meandering watering hole attack, this is how Emotet crosses organizational boundaries with the potential to affect entire industries or even countries.

..

Support the originator by clicking the read the rest link below.