Study: Emotet Banking Malware Responsible for 145% Increase in Threats Detected

The most prominent observation of this quarter’s research was the widespread global deployment of the Emotet “dropper” banking malware.

Stock Procurement Photo
Getty Images

Mimecast Limited, a leading email and data security company, announced the availability of the Mimecast® Threat Intelligence Report: RSA® Conference Edition, designed to provide technical analysis from Mimecast threat researchers on major campaigns carried out by threat actors, as well as outline trends emerging from these attacks and an assessment of likely future trends given threat actors’ current behavior, events and technology. The report uncovers the resurgence of Emotet as well as a combination of simplistic, low effort and low-cost attacks and highly complex, targeted campaigns.

Additionally, Mimecast introduced the Mimecast Threat Intelligence Hub to house specific threat intelligence insights, reports and vulnerability discoveries from the Mimecast threat intelligence research team.

The report provides analysis of 202 billion emails processed by Mimecast for its customers during the period from October 2019 through December 2019. Of those 202 billion, 92 billion were rejected. The team discovered and examined four main categories of attack types throughout the report: spam, impersonation, opportunistic and targeted. Compared to previous quarters, Mimecast researchers noted a marked difference in the more significant attacks conducted: the attacks targeted a wider range of companies across various sectors and for shorter periods of time than in previous quarters. The one sector that was particularly targeted this quarter was the retail industry, accounting for almost a third of the most significant campaign activity conducted by threat actors globally. However, given the holiday gift-giving season from October to December, some of this increase was to be expected. 

The most prominent observation of this quarter’s research was the widespread global deployment of the Emotet “dropper” banking malware, which had been seemingly inactive the previous four months. There were 61 significant campaigns identified, marking a 145% increase over last quarter despite fewer emails being analysed during the period. Emotet was a key driver in this spike, as the banking trojan/malware was a component in almost every attack identified. This massive increase in activity is highly likely to be an indication of threat actors refocusing their efforts from impersonation to exploiting the current effectiveness of ransomware.

“It’s no surprise that threat actors are using a combination of simplistic and sophisticated attacks to gain access to organizations. That’s also likely why we saw such a huge spike in the recently dormant Emotet campaign – they’re attempting to gain as much attack space as possible to land other sophisticated attacks or hold organizations hostage,” says Josh Douglas, vice president of threat intelligence at Mimecast. “These reports offer organizations a global view on how threats are evolving so they can make informed decisions on how to best strengthen their cyber resilience posture.”

Additional key findings outlined in the report:

·        The transportation, storage and delivery and retail and wholesale sectors were disproportionately attacked this past quarter due to the holiday season.

·         Emotet has been utilized far more extensively and has been seen in widespread campaigns against all sectors of the global economy. This discovery demonstrates a level of sophistication that goes beyond an opportunistic cybercriminal. In addition, due to the variety of businesses attacked, it’s highly likely the attacks continue to be carried out by highly organized criminal groups for monetary gain.

·         File compression continued to be an attack format of choice, but Emotet activity via DOC and DOCX formats substantially increased.

·         Although the number of impersonation attacks is slightly fewer, they remain a key attack vector. Impersonation attacks now include a range of voice messaging and a generally less coercive form of communication, which presents as a more nuanced and persuasive threat.

·         Relying on human error for success, bulk emailing remained a significant, high volume means to distribute malware. This trend will continue as it’s a powerful threat vector that can be deployed in huge volumes, increasing the possibility of success for threat actors.