“In recent years it has evolved into a much more damaging distribution network for malware.”
Malicious URL links in emails are now one of the key threats spreading malware into computer systems, outnumbering email attachments five to one in prevalence.
This is according to California-based cybersecurity firm Proofpoint, which in its quarterly threat report found that malicious URL links have seen a 180 percent year-on-year rise compared to Q1 2018.
Ransomware attacks via email are, however, on the decline as threat actors are refining their attack vectors. In 2016 ransomware was one of the most prevalent forms of malware sent via email, but in the first quarter of 2019, ransomware made up only one-tenth of one percent of all malicious payloads sent through email accounts.
As Proofpoint notes in its report, however: “Ransomware has not disappeared altogether from the threat landscape. Rather, threat actors are now using ransomware in targeted attacks against key assets for much larger ransoms instead of attacking hundreds of thousands of recipients in low-ransom, high-volume malicious email campaigns. In short, threat actors are going for quality over quantity in their ransomware attacks.”
In its research Proofpoint found that the industries most affected by cyber attacks in the first quarter of 2019 were engineering, automotive and education. On average across all industries organisations experienced 47 attacks during the first quarter.
Emotet Malware Tactic of Choice for Hackers
Proofpoint found that in the first quarter of 2019 over 60 percent of malicious payloads sent via email were facilitated by Emotet malware.
Emotet is a highly multifunctional botnet-powered malware that began life as a banking Trojan, but now appears to be the malware delivery system of choice for threat actors.
In 2017, the European banking sector was under siege from the Trojan malware Emotet, a self-propagating malware that spreads though computer networks collecting machine information before sending it back to command and control servers (C&C).
Once malware is in place on just a single computer the Emotet malware downloads and executes a spreader module which contains a password list that it uses in brute force attempts against systems connected to the same network. This can cause a number of problems for your IT network, adding extra workloads as processes run in the background, but it will also result in downtime for your employees as they are locked out of their accounts due too many incorrect password entries.
The module will also send out email phishing spams within your network, often using standard social engineering techniques such as including the word ‘invoice’ in the subject line. The email may also contain the name of the employee whose system has already been compromised. Once sensitive information has been collated it is then sent back to the C&C server.
In a technical report cybersecurity enterprise Bromium noted that: “In recent years it has evolved into a much more damaging distribution network for malware. Once the machine is infected, it can be used to perform email spam campaigns or to download other malware samples. Emotet is a very professional campaign, fully polymorphic, so signature look-ups are not likely to be effective.”
They also showed how easily a threat actor can get what seems like an innocuous document past unsuspecting employees.
“In the top left corner of the document is a tiny text box (Highlighted by a red circle in the image), so small it almost looks like a dead pixel on your screen. This edit box is where the changes for each malware infection are made. If you were to expand it, you would find the command line instructions that later get run in cmd.exe. The Macro grabs the contents of the edit box and then calls cmd.exe, passing the content of the edit box as a parameter,” Bromium note.
Employee vigilance and cybersecurity literacy are still among the best defenses against threat actors conducting email phishing campaigns.