The HP Wolf Security threat research team has identified a 27-fold increase in detections resulting from Emotet malicious spam campaigns in Q1 2022, compared to Q4 2021 — when Emotet first made its reappearance.
Once described by the Cybersecurity and Infrastructure Security Agency as one of the most destructive and costly malware to remediate, Emotet has bolted up 36 places to become the most common malware family detected this quarter (representing 9% of all malware captured).
One of these campaigns — which was targeted at Japanese organizations and involved email thread hijacking to trick recipients into infecting their PCs — was largely responsible for an 879% increase in .XLSM (Microsoft Excel) malware samples captured compared to the previous quarter.
Notable examples include:
- Signs indicate HTML smuggling on the rise: The median file size of HTML threats grew from 3KB to 12KB, suggesting a rise in the use of HTML smuggling, a technique where cybercriminals embed malware directly into HTML files to bypass email gateways and evade detection, before gaining access and stealing critical financial information. Recent campaigns were seen targeting Latin American and African banks.
- “Two for One” malware campaign leads to multiple RAT infections: A Visual Basic script attack was found being used to kick start a kill chain resulting in multiple infections on the same device, giving attackers persistent access to victims’ systems with VW0rm, NjRAT and AsyncRAT.
Q1 data shows this is by far the most activity seen from Emotet since the group was disrupted early in 2021. “A clear signal its operators are regrouping, building back their strength and investing in growing the botnet… Their reemergence is bad news for businesses and public sector alike,” explains Alex Holland, Senior Malware Analyst, HP Wolf Security threat research team, HP Inc. “Emotet also continued to favor macro-enabled attacks — perhaps to get attacks in before Microsoft’s April deadline, or simply because people still have macros enabled and can be tricked into clicking on the wrong thing.”
Further key findings in the report include:
- 9% of threats hadn’t been seen before at the time they were isolated, with 14% of email malware isolated having bypassed at least one email gateway scanner.
- It took over 3 days (79 hours), on average, to be known by hash to other security tools.
- 45% of malware isolated by HP Wolf Security were Office file formats.
- Threats used 545 different malware families in their attempts to infect organizations, with Emotet, AgentTesla and Nemucod being the top three.
- A Microsoft Equation Editor exploit (CVE-2017-11882) accounted for 18% of all malicious samples captured.
- 69% of malware detected was delivered via email, while web downloads were responsible for 18%. The most common attachments used to deliver malware were documents (29%), archives (28%), executables (21%), spreadsheets (20%).
- The most common attachments used to deliver malware were spreadsheets (33%), executables and scripts (29%), archives (22%), and documents (11%).
- The most common phishing lures were business transactions such as “Order”, “Payment”, “Purchase”, “Request” and “Invoice”.
Dr. Ian Pratt, Global Head of Security for Personal Systems, HP Inc., says, “With an uptake in alternative file types and techniques being used to bypass detection, organizations need to change course and take a layered approach to endpoint security. By applying the principle of least privilege and isolating the most common threat vectors — from email, browsers, or downloads — rendering malware delivered via these vectors harmless. This dramatically reduces organizations’ risk exposure to cyber threats.”
For more insights, read the HP Wolf Security Threat Insights Report.