IT Security Information

Get regular updates on current threats such as ransomware, phishing, CEO fraud and business email compromise.

Email Conversation Thread Hijacking

Email Conversation Thread Hijacking

You should only open email attachments and links from senders you know is an advice often given when it comes to preventing email-based malware and phishing attacks. However, in this article we outline an attack technique called email conversation thread hijacking, which uses victim’s existing email conversations and thus trust-relationships to spread to new victims. Against this attack the previous advice will not help. We explain how email conversation thread hijacking is used by attackers, and why it dramatically increases the likelihood for victims to open malicious links or malicious attachments.
Emotet Update increases Downloads

Emotet Update increases Downloads

The Hornetsecurity Security Lab observed a 1000 % increase in downloads of the Emotet loader. The increase in Emotet loader downloads correlates with Emotet’s packer change, which causes the Emotet loader to be less detected by AV software. Our gathered data suggests that the increase in Emotet loader downloads stems from the loader being detected less and thus also the Emotet loader download URLs being blocked less by security mechanisms. Our data, however, also suggests that AV vendors are already closing the detection gap and the detection of the Emotet loader should increase again and thus the number of downloads decreasing again. This analysis is a good display of the impact of the changes to the Emotet loader’s packer.
The webshells powering Emotet

The webshells powering Emotet

The Hornetsecurity Security Lab presents details on the webshells behind the Emotet distribution operation, including insights into payload downloads and how from 2020-07-22 to 2020-07-24 Emotet payloads on Emotet download URLs were replaced with HTML code displaying GIFs. The analysis shows that the number of downloads of the malicious content behind the Emotet download URLs is significant and has been observed peaking at 50,000 downloads per hour. Highlighting that Emotet emails do get clicked. The analysis further shows that compromised websites are not just compromised once but multiple times by different actors and cleanup efforts by the website administrators are often insufficient leading to re-enabling of the malicious Emotet downloads.
Emotet is back

Emotet is back

On 2020-07-17 the Hornetsecurity Security Lab detected the return of Emotet malspam. The reemerging Emotet malspam was already blocked by existing detection rules. The current Emotet malspam wave again uses malicious macro documents spread either via attachments or via malicious download links. As usual, the VBA macros in the document download the Emotet loader that the Hornetsecurity Security Lab has previously analyzed.
Firefox Send sends Ursnif malware

Firefox Send sends Ursnif malware

On 2020-07-07 Mozilla temporarily disabled their Firefox Send service due to abuse by malware. Hornetsecurity’s Security Lab explains how malware was abusing the Firefox Send service. To this end, a malspam campaign distributing a variant of the Ursnif malware is analyzed. The campaign used the Firefox Send service to host its malicious downloader and send victims these malicious Firefox Send links. Such abuse prompted Mozilla to disabled the Firefox Send service, because the service is currently lacking a feature to report abuse. Meaning even if researchers found these malicious links they could not be reported to Mozilla for takedown. However, our analysis further reveals that malware already abuses other services, hence, disabling Firefox Send – even though it was the right decision – has no impact on malware campaigns.
Deepfakes – A New Threat to Organizations

Deepfakes – A New Threat to Organizations

A hacker is smart, much smarter than the average. With just a few clicks and a few key combinations, he’s hacked into the systems of governments, government agencies and large corporations. He avoids the public and acts in secret. His skin is pale, he always wears dark clothes and works late into the night – that’s what Hollywood tells us. And the stereotypes created by the film industry remain in our consciousness…But who is behind the ingenious attacks that frighten whole companies?

Sign Up Hornet News

The new Cyberthreat Report