Attackers continue to leverage greater levels of social engineering and sophistication

Despite a nearly four-month absence, the return of Emotet within the last two weeks of September accounted for nearly 12 percent of all malicious email samples in Q3, delivering millions of messages with malicious URLs or attachments, Proofpoint found.

Emotet returns, organizations need to react

“Emotet’s return to the threat landscape and the latest sextortion malware are just the latest examples of how cybercriminals continuously revamp and broaden the scope of their attacks in hopes of more effectively targeting individuals within organizations,” said Chris Dawson, threat intelligence lead at Proofpoint.

“As attackers leverage greater levels of social engineering and sophistication, it is critical that organizations implement a people-centric security approach that defends and educates its users, as they remain the primary target.”

Distributing Emotet all over the world

TA542, the cybercriminal group responsible for distributing Emotet, also expanded its regional targeting during this period to several new countries, including Italy, Spain, Japan, Hong Kong, and Singapore.

Reverting to methods that the group had shifted away from in early 2019, TA542’s re-emergence included highly targeted seasonal and topically relevant lures rather than generic financial themes. For example, on Sept. 23, Proofpoint observed the actor leveraging news-related “Snowden” lures.

Shift in the sextortion playbook

In addition to Emotet, researchers noted a potential shift in the sextortion playbook with the appearance of a new malware that can provide tangible evidence of adult activity for threat actors.

PsiXBot, a remote access Trojan (RAT), expanded its communication capabilities in September with the addition of a new “PornModule,” which contains a dictionary with pornography-related keywords used to monitor open window titles.

If a window matches the text, it will begin to record audio and video on the infected machine. Once recorded, the video is saved with a “.avi” extension and is sent to the command and control server, and then (presumably) used for extortion purposes.

Overall, sextortion remained rampant in Q3, with noteworthy campaigns that leveraged social engineering sent via the Phorpiex botnet.

Additional findings

• Global combined malicious URL and attachment message volume decreased nearly 40 percent compared to Q2, largely as a result of Emotet’s absence for the first 10 weeks of the quarter.
• Malicious URLs made up 88 percent of global combined malicious URL and attachment message volume, a slight increase from Q2, but overall in-line with the trend for 2019.
• Over 26 percent of fraudulent domains used SSL certificates, over three times the rate of domains across the web. This contributes dramatically to social engineering around these domains as we have been conditioned to look for the padlock icon as a sign of security and safety as we browse.
• Ransomware remained virtually absent as a primary payload in malicious emails, with the exception of smaller campaigns generally distributing Troldesh and Sodinokibi.
• Threat actors leveraged the Keitaro TDS in both malvertising and URL-based email attacks, building on the trend of more complex attack chains and redirections to hide their activities and exploit multiple vectors, including exploit kits.