Emotet scales use of stolen email content for context-aware phishing

Overview

Emotet’s automated targeting phishing campaigns have arrived and they are aggressive. As originally discovered and predicted in our previous post about Emotet’s mass email harvesting, computers infected with Emotet and the email harvesting module could be used to create believable emails which even savvy email users may be tricked into clicking.

Since then, Kryptos' Threat Intelligence Team has observed Emotet’s behavior evolve, with the aid of their stolen email troves. During the past few days in particular, we have spotted the Emotet actors implement a new process allowing them to automate and scale the use of targeted emails.

Notably, a new set of data privacy risks are introduced by these Emotet operations. We have recently observed traffic from Emotet spam commands and concluded that worker bots are transmitting the stolen credentials and email contents to random Emotet infected devices, where they remain in memory unencrypted. To be clear, not only are the actors expanding their infiltration campaign, they are also transmitting confidential data (usernames, passwords and email contents) indiscriminately to members of the botnet.

The results are serious as it implies treating Emotet infections may require the consideration of breach notification laws and review of contractual agreements (e.g. NDAs) due to the theft of emails and their contents being redistributed, en masse, to thousands of globally located infected hosts.

Within this blog post, we will present our observations from the latest phishing campaigns from Emotet, whilst also providing insights into how Emotet’s backend is processing and sorting stolen emails.

Data Analytics meets Offensive Security

Distinct behavioral changes in Emotet spam activity occurred this past week. Emotet actors have weaponized their ever-growing database of stolen emails by taking it a step further and extracting the email body if the subject line contains “RE:”. They are issuing follow-up replies to the original email chains by sending email templates injected with malicious URLs and, as of April 11th, attachments to the original parties (TO and FROM). The goal is clear: to legitimize the appearance of their malicious emails with a new approach using context-aware phishing campaigns.

At this time, the targeted campaigns appear to be focused in two waves: first is seemingly “higher value” targets such as the US, Germany, Canada, and Japan; the second is generic in nature and does not assume the Reply To (RE) structure, instead focusing on what appears to be increasing infection rates within Mexico and South American countries.

The below diagram illustrates this flow at a high level.

Flow of Emotet Context-Aware Phishing campaign

This translates to an extremely effective technique at scale. In effect, Emotet has developed a mass targeted phishing scheme which derives its credibility from existing conversations, injects malicious links in to the email chain, all while accomplishing this automatically and at scale. Our research presents a useful insight into automation playing a role in a cybercrime campaign.

Example email spoofed from a US Government entity to an AV vendor

The above screenshot illustrates the convincing nature of the well-crafted responses, such that any victim could be susceptible to falling into the trap. As of 10th April, we have observed ~51 unique URLs being distributed, and more recently, weaponized .doc files are now being attached to the Emotet generated responses, rather than providing a URL.

Automating Targeting Phishing at Scale

As observed by CERT Polska in 2017, Emotet makes use of a custom communication protocol based on Google’s Protocol Buffers. We were able to observe new messages between infected hosts and Emotet’s backend infrastructure, which allows an Emotet infection to receive the parameters it needs to send a highly targeted lure.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
message smtp_credentials {
    required int32 unknown_1 = 1;
    required string server = 2;
    required int32 port = 3;
    required string username = 4;
    required string password = 5;
    required string email_address = 6;
}

message email_templates {
    required int32 unknown_1 = 1;
    required string from_email = 2;
    required string from_name = 3;
    required string to_email = 4;
    required string to_name = 5;
    required string subject = 6;
    optional string header = 7;
    optional string body = 8;
    optional string footer = 9;
}

message SpamCommand {
    required smtp_credentials credentials = 1;
    required email_templates templates = 2;
}

The SpamCommand message contains two nested messages, smtp_credentials and email_templates, which are used by an Emotet infection to distribute spam.

SMTP credentials used in the spam are likely to be the credentials from a module that CERT Polska observed. It uses a password recovery tool, published by NirSoft1, to extract and steal the credentials. We have yet to observe the actors using a matching pair of SMTP credentials and sender information; emails are currently being sent out with a spoofed sender address, but this could change.

We have also observed the following different bodies injected into email threads (each line represents a unique body).

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
"Attached is your confidential docs.\\r\\n<br>\\r\\n"
"I have called you to many time but no response from your side.<br>\\rPlease see the attached file.\\r\\n\\r\\n"
"Please open the attached document.\\r\\r\\n\\r\\n"
"Please find attached your new documents.\\r\\n\\r\\n"
"You have a new message regarding your mail.\\r\\n\\r\\n"
"Thank you for your help. Please see the attached.\\r\\r\\n\\r\\n"
"Please see the attached file for your consideration.\\r\\n\\r\\n"
"Attached is your confidential docs.\\r\\n\\r\\n"
"Please find attached a copy of your document.\\r\\n\\r\\n"
"As Always Thank you very much for your assistance.\\r\\n\\r\\n"
"Please see attached and thanks!\\r\\r\\n\\r\\n"
"Attached please find the wire transfer form.<br>\\rPlease let me know if you have any questions.\\r\\r\\n\\r\\n"
"PLEASE DISCARD THE PREVIOUS VERSION THAT YOU RECEIVED EARLIER; ATTACHED IS THE CORRECTED VERSION.\\r\\n\\r\\n"
"PLEASE DISCARD THE PREVIOUS VERSION THAT YOU RECEIVED EARLIER; ATTACHED IS THE CORRECTED VERSION.\\r\\n<br>A printer friendly attachment is now included with each email.<br>Click on the attachment to open or save the printer friendly version of your report.\\r\\n"
"Load instructions attached\\r\\n\\r\\n"
"Please see/review attached.\\r\\r\\n\\r\\n"
"The funds should be credited to your bank account within three to four business days from the date of this e-mail.\\r\\n\\r\\n"
"Attached please find the ach transfer form.<br>\\rPlease let me know if you have any questions.\\r\\n\\r\\n"
"I know we chatted recently about this \\u2013 but I can\\u2019t recall if we discussed this moment.\\r\\n\\r\\n"
"Please see attached.\\r\\n\\r\\n"
"Attached is your new documents.\\r\\n\\r\\n"
"Thank you for your help. Please see the attached.\\r\\r\\n<br>A printer friendly attachment is now included with each email.<br>Click on the attachment to open or save the printer friendly version of your report.\\r\\n"
"This file is an data for March.\\r\\n\\r\\n"
"Please find attached your most recent documents.\\r\\n\\r\\n"
"As Always Thank you very much for your assistance.\\r\\n<br>A printer friendly attachment is now included with each email.<br>Click on the attachment to open or save the printer friendly version of your report.\\r\\n"
"Attached is your new documents.\\r\\n<br>A printer friendly attachment is now included with each email.<br>Click on the attachment to open or save the printer friendly version of your report.\\r\\n"
"Please see attached.\\r\\n<br>A printer friendly attachment is now included with each email.<br>Click on the attachment to open or save the printer friendly version of your report.\\r\\n"
"Please see/review attached.\\r\\r\\n<br>A printer friendly attachment is now included with each email.<br>Click on the attachment to open or save the printer friendly version of your report.\\r\\n"
"Attached please find the wire transfer form.<br>\\rPlease let me know if you have any questions.\\r\\r\\n<br>A printer friendly attachment is now included with each email.<br>Click on the attachment to open or save the printer friendly version of your report.\\r\\n"
"I have called you to many time but no response from your side.<br>\\rPlease see the attached file.\\r\\n<br>A printer friendly attachment is now included with each email.<br>Click on the attachment to open or save the printer friendly version of your report.\\r\\n"
"Please open the attached document.\\r\\r\\n<br>A printer friendly attachment is now included with each email.<br>Click on the attachment to open or save the printer friendly version of your report.\\r\\n"
"I know we chatted recently about this \\u2013 but I can\\u2019t recall if we discussed this moment.\\r\\n<br>A printer friendly attachment is now included with each email.<br>Click on the attachment to open or save the printer friendly version of your report.\\r\\n"
"You have a new message regarding your mail.\\r\\n<br>A printer friendly attachment is now included with each email.<br>Click on the attachment to open or save the printer friendly version of your report.\\r\\n"
"Please see attached and thanks!\\r\\r\\n<br>A printer friendly attachment is now included with each email.<br>Click on the attachment to open or save the printer friendly version of your report.\\r\\n"
"Attached please find the ach transfer form.<br>\\rPlease let me know if you have any questions.\\r\\n<br>A printer friendly attachment is now included with each email.<br>Click on the attachment to open or save the printer friendly version of your report.\\r\\n"
"The funds should be credited to your bank account within three to four business days from the date of this e-mail.\\r\\n<br>A printer friendly attachment is now included with each email.<br>Click on the attachment to open or save the printer friendly version of your report.\\r\\n"
"Please find attached your new documents.\\r\\n<br>A printer friendly attachment is now included with each email.<br>Click on the attachment to open or save the printer friendly version of your report.\\r\\n"
"Load instructions attached\\r\\n<br>A printer friendly attachment is now included with each email.<br>Click on the attachment to open or save the printer friendly version of your report.\\r\\n"
"Please find attached your most recent documents.\\r\\n<br>A printer friendly attachment is now included with each email.<br>Click on the attachment to open or save the printer friendly version of your report.\\r\\n"
"Please see the attached file for your consideration.\\r\\n<br>A printer friendly attachment is now included with each email.<br>Click on the attachment to open or save the printer friendly version of your report.\\r\\n"
"\\n<br>\\r\\n<br>\\r\\n<br>\\r\\ngerne senden wir Ihnen die gew\\xfcnschten Dokumente im Anhang dieser E-Mail als .doc-Datei.\\r\\r\\n<br>\\r\\n"
"\\n<br>\\r\\n<br>\\r\\n<br>\\r\\nIm Anhang dieser E-Mail finden Sie eine .DOC-Datei mit den gew\\xfcnschten Informationen.\\r\\r\\n<br>\\r\\n"
"Attached is your confidential docs.\\r\\n<br>A printer friendly attachment is now included with each email.<br>Click on the attachment to open or save the printer friendly version of your report.\\r\\n"
"Please find attached a copy of your document.\\r\\n<br>A printer friendly attachment is now included with each email.<br>Click on the attachment to open or save the printer friendly version of your report.\\r\\n"
"\\n<br>\\r\\n<br>\\r\\n<br>\\r\\nanbei findest du den \\xdcberweisungsbeleg, das Geld sollte also bald bei dir auf dem Konto sein.<br>\\rEbenfalls anbei der Scan der Vereinbarung.bitte Anhang beachten.\\r\\r\\n<br>\\r\\n"
"\\n<br>\\r\\n<br>\\r\\n<br>\\r\\nIn der Anlage erhalten Sie Ihre dazugeh\\xf6rige Rechnung als DOC-Dokument.\\r\\r\\n<br>\\r\\n"
"\\n<br>\\r\\n<br>\\r\\n<br>\\r\\nbitte Anhang beachten. Danke. Noch einen sch\\xf6nen Resttag.\\r\\r\\n<br>\\r\\n"
"\\n<br>\\r\\n<br>\\r\\n<br>\\r\\nanbei findest du den \\xdcberweisungsbeleg, das Geld sollte also bald bei dir auf dem Konto sein.<br>\\rEbenfalls anbei der Scan der Vereinbarung.\\r\\n<br>\\r\\n"
"This file is an data for March.\\r\\n<br>A printer friendly attachment is now included with each email.<br>Click on the attachment to open or save the printer friendly version of your report.\\r\\n"
"\\n<br>\\r\\n<br>\\r\\n<br>\\r\\nmit dieser E-Mail schicke ich Euch zwei wichtige Dokumente.\\r\\r\\n<br>\\r\\n"
"\\n<br>\\r\\n<br>\\r\\n<br>\\r\\nAls Anhang erhalten Sie Ihre Rechnung.\\r\\r\\n<br>\\r\\n"
"\\n<br>\\r\\n<br>\\r\\n<br>\\r\\ndie Kontentrennung sowie die \\xc4nderung der Rechnungsanschrift und des SEPA Mandats habe ich wie gew\\xfcnscht zu sofort durchgef\\xfchrt.\\r\\r\\n<br>\\r\\n"
r"I have paid the outstanding balance today by bank transfer - \$[0-9],[0-9]{3}\.[0-9]{2}\.\\r\\r\\n\\r\\n"
r"I have paid the outstanding balance today by bank transfer - \$[0-9],[0-9]{3}\.[0-9]{2}\.\\r\\r\\n<br>A printer friendly attachment is now included with each email.<br>Click on the attachment to open or save the printer friendly version of your report.\\r\\n"
"Guten Tag, {{name_or_email}}\\r\\n<br>\\r\\n<br>\\r\\n<br>\\r\\nim Anhang dieser E-Mail erhalten Sie Informationen zu Ihrem Vertrag.\\r\\r\\n<br>\\r\\n"

Email templates spammed out by Emotet not only contain the malicious response but also all the previous emails from the stolen thread, combined to create a single masterful lure. Our analysis of the legitimate emails from the threads has allowed us to create a graph of dates that are left in by email clients such as Outlook and Gmail when you create a response to an email.

It’s hard to make conclusive statements based on this data alone as there are many factors which influence the data:

  • The email threads may contain multiple responses, adding additional dates and noise
  • The attacks are geographically targeted and clustered
  • We lack full visibility of when the email stealer module has been used
  • Email dates do not strongly correlate with the other victim data we have

We assess with moderate confidence that Emotet email collection began during November 2018, although there may be threads stolen prior to that.

Conclusion

DKIM and SPF validation on your inbound mail servers can help prevent you falling victim to these campaigns, whilst the actors are spoofing the sender address. Additionally, we recommend that your own domains should make use of DMARC and correctly implement DKIM and SPF, so that others can validate that mail coming from your email domain is legitimately coming from you.

The targets we have sampled include a concerning list of just about every organization type, including state and local governments. Emails are being sent out with high velocity, with all the hallmarks of a well thought-out and orchestrated campaign.

Kryptos Logic is currently monitoring the evolution of this campaign and will report back in the future when more data is available. We not only collect the infected IPs of Emotet hosts, we also collect data on many other malware families, which can help organizations assess their current breach and risk exposure. Your organization can receive our updates and upcoming features by signing up for our Telltale Threat Intelligence Service.


  1. NirSoft is popular developer of legitimate freeware utilities, however their software is sometimes unwittingly repurposed by malicious actors. ↩︎