HP Threat Research: Emotet Campaigns Targeting Enterprises Surge By 1,200% In Q3 2020

The NCSC report shows it uncovered 15,354 campaigns that had used coronavirus themes as a “lure” to fool people into clicking on a link or opening an attachment containing malicious software. However, HPs researchers found that only 5% of the emails they examined used this as a lure – so while this is significant, it is still not a primary tactic.

HP’s report found the use of thread jacking was common, where hackers gain access to a user’s inbox and send reply all messages within threads to lure people into clicking on malicious content. Aside from thread-jacking, hackers still favour ‘traditional’ hooks to lure users: Two-fifths of Emotet lures delivered via email that could be identified including invoices, purchase orders, and contracts; almost a third (31%) were forms and messages; while nearly a quarter (24%) were amendment notifications.

The NCSC report also said it handled more than three times as many ransomware incidents in 2020 than last year. Again, this is an area covered in the HP report which found a shift in the way ransomware is being delivered. HP found that amount of ransomware delivered by email was low because ransomware is now often being deployed by Trojan families, like Emotet, as a second or third level of compromise. Notably, Emotet infections are often a precursor to human-operated ransomware attacks. Threat actors have been observed using the access to compromised systems to perform reconnaissance of victim networks before deploying ransomware families, such as Ryuk.

More generally, the HP report also shows that Emotet spam campaigns have increased by more than 1,200% in Q3 2020 (July to September), compared to Q2 2020. Enterprises are being specifically targeted, with a quarter of Emotet spam sent to .org domains, while Japanese and Australian organisations were most affected by Emotet spam activity; analysis shows that 32% of samples were sent to Japanese domains, while nearly 20% targeted Australian domains. Almost half (43%) of threats delivered via email in Q3 were Trojans.

In addition to the stats above, we also have some insights from Alex Holland, senior malware analyst at HP Inc., who researched the report. He commented: “The typical pattern of Emotet campaigns we have seen since 2018 suggests that we are likely to see weekly spam runs until early 2021. The targeting of enterprises is consistent with the objectives of Emotet’s operators, many of whom are keen to broker access to compromised systems to ransomware actors. Within underground forums and marketplaces, access brokers often advertise characteristics about organisations they have breached – such as size and revenue – to appeal to buyers. Ransomware operators in particular are becoming increasingly targeted in their approach to maximise potential payments, moving away from their usual spray and pray tactics. This has contributed to the rise in average ransomware payments, which has increased by 60%.” 

The report was compiled between July and September 2020 using customer data collected from HP’s Sure Click Enterprise. HP Sure Click traps malware within secure micro-virtual machines, isolated from the network and device. A side effect of protecting users in this way is it can capture malware that has not been detected by other security tools because it tricks the malware into showing its hand – even for malware that’s only designed to execute after human interaction. HP Sure Click then allows it to run in a secure environment; this gives researchers access to the full kill chain providing rich threat telemetry around how the malware behaves.

Holland continues: “In one campaign, we saw hackers encrypting malicious documents with Microsoft Word’s ‘Encrypt with Password’ feature, to slip past network security and detection tools. The malware, in this case, TrickBot, would only deploy if the user entered a password sent with the phishing email. This meant that most anti-virus tools weren’t able to access the file to scan it, but we were able to watch it in the micro-VM. It may sound like a relatively simple tactic, but it’s one that has proven to be effective in bypassing detection.” 

The data illustrates the failings of detection and highlights why organisations need to focus on proactive protection measures, as Ian Pratt, Global Head of Security for Personal Systems at HP Inc. explains: “We need to reinvent how we approach security; a new, hardware-powered approach is needed that stops putting the burden of security on users by isolating threats to ensure they cannot infect PCs or spread through corporate networks. While the industry assumption to date is that protection can’t work, we are challenging this by offering a new, architecturally sound approach to the problem that is transparent to the end-user. Key to this is making the shift to a model that doesn’t rely on detection, but instead uses sound security engineering practises – such as fine-grained isolation, the principle of least privilege (PoLP), and mandatory access control – to provide protection without the need for detection.”