By Rodrigo Calvo, CISSP, PCIP,Symantec Knight
Sr. Security Consultant at Infolock.
In July 2018 the Symantec Security Response Attack Investigation Team published an article about the evolution of the Trojan.Emotet, a malware designed by the Mealybug group. In early 2019, customers from Latin America were infected with a Spanish version. This article will enumerate some specific findings from these events and then examine the ability of Email Security.Cloud to defend organizations against this and other similar attacks.
Attack Target: Latin America
During the third week of January 2019, many Central and South American customers received an email with a well-translated subject of Invoice (Spanish: Factura).
This is well-known Emotet behavior. The malware uses standard social engineering techniques and includes the name of the person whose email account has been compromised to make it seem less like spam email.
Email Provider Filters: Not Up to the Challenge
In this case, it is possible to confirm that the email was partially spoofed. Below is a comparison between the spoofed and the expected email:
The IP address used to send most of the spoofed emails for this attack belongs to an Argentina-based company with a Qmail service. The company may have a vulnerability or misconfiguration, which allowed an almost clean delivery of the Emotet malware.
About the infected document:
The attached document included VBA macros and a “suggestion” for the user to enable editing. By doing so, the malware would run.
The dissection of this suspicious file, known by Symantec as Trojan.Emotet, shows common elements such as:
- TCP communication over ports 80, 8080, 22,990 (it’s assumed that one of those will be C&C and others used to collect info)
b. Attempts or successful connections to different IP addresses across one of four countries:
c. As stated by Symantec months ago, the Emotet variants evolved to drop more pieces of malware. For example, newly confirmed Trojan.Emotet variants include file names or extensions like 726.exe, and *.tmp. A quick review of the malicious VBA script actions also shows:
a. It reads PST files to extract the sender names and email addresses of the messages with the final goal of distributing more spam.
b. Once the malware code is active, it is able to download any kind of malware with functions ranging from basic data theft to more complex Ransomware.
Symantec Email Security.Cloud as an Effective Countermeasure for Trojan.Emotet
Symantec Email Security.Cloud can mitigate attacks similar to the previously described Trojan.Emotet. Customers can engage experts to configure Symantec Email Security.Cloud and, after an analysis of their architecture, have a solution built with best practice email policies, and recommended solution add-ons.
For example, these Emotet messages were able to pass through standard email filters, but Symantec Email Security.Cloud uses Symantec Cynic. This detects even the most complex threats designed to evade virtualized sandbox environments used to inspect files for malware. It also identifies malicious email attacks targeted to an organization or individual.
Customers with Properly Configured Symantec Email Security.Cloud Can:
- Get advanced reporting with over 25 data points of in-depth malware reporting, including URL information, malware category, detection method, and file hashes to better understand threats facing their organization.
- Respond faster with prioritized threat severity levels.
- Correlate data across security products with Symantec Synapse or via SIEM. Symantec Advanced Threat Protection Integration provides a single prioritized view of advanced attack activity in an organization across email, endpoints, networks, and web traffic.
- Prevent spear phishing attacks by isolating malicious links.
- Stop credential theft by safely rendering webpages in read-only mode.
- Shut down ransomware by shielding trusted applications from weaponized attachments.
- Apply anti-spoof controls.
For more information about Email Security.Cloud and how it can protect your organization, contact firstname.lastname@example.org.