Comeback of Emotet

Comeback of Emotet

by | Nov 16, 2021 | Threat Research

Summary

Hornetsecurity observes that the Emotet botnet became active after its shut down in January 2021. Hornetsecurity’s Security Lab already identified new Emotet malspam campaigns in the wild.

Background

Emotet (also known as Heodo) was first observed in 2014. It was a banking trojan stealing banking details and banking login credentials from victims. But it pivoted to a malware-as-a-service (MaaS) operation providing malware distribution services to other cybercriminals. Today, Emotet is probably the most prolific malware distribution operation. To this end, it steals the emails of its victims and replies to the victim’s previous conversations. This is known as email conversation thread hijacking.5 Hornetsecurity has written numerous blogposts about Emotet.2,3,4,5,6,7

On 2021-01-27, Europol announced that an international worldwide coordinated law enforcement and judicial action had disrupted the Emotet botnet, and investigators have taken control of Emotet’s infrastructure. The Emotet botnet was subsequently shut down by law enforcement.8

The comeback

On 2021-11-15, TrickBot malware was installed via malspam, downloaded, and installed the Emotet malware. Subsequently, the Emotet botnet was rebuilt and started to send malspam from its botnet again.

They send different malicious documents (XLSM and DOCM).

Emotet email with malicious document attachment

In some cases, the malicious documents were also placed in encrypted ZIP archives. The passwords were in plain text in the emails.

Emotet email with malicious document attachment

As already stated, Emotet used email conversation thread hijacking5, meaning it steals the emails of its victims and then replies (often even from the victim’s account) to exiting email conversations quoting the previous conversation in the email. This makes victims very susceptible to these Emotet emails.

Countermeasures

Hornetsecurity’s technical defense mechanisms do not get fooled by social engineering techniques such as the employed email conversation thread hijacking.

Hornetsecurity’s Advanced Threat Protection combats the Emotet threat with the following features:

  • Malicious document decryption can use the password listed in the email to decrypt the encrypted ZIP archives.
  • Hornetsecurity’s ATP sandbox will detect the malicious documents (even if previously unknown).

Hornetsecurity's ATP sandbox detecting malicious Emotet document

With the details mentioned above, we strictly recommend our Advanced Threat Protection services for adequate protection against sophisticated adversaries such as Emotet, who may change their attack patterns at any given time. Signatures for known malicious Emotet documents will be added to Hornetsecurity’s Spam and Malware Protection also to protect customers that do not have ATP services booked.

References

Indicators of Compromise (IOCs)

URLs

  • http[:]//ranvipclub[.]net/pvhko/a/
  • http[:]//devanture[.]com[.]sg/wp-includes/XBByNUNWvIEvawb68/
  • http[:]//av-quiz[.]tk/wp-content/k6K/
  • https[:]//team.stagingapps[.]xyz/wp-content/aPIm2GsjA/
  • https[:]//newsmag.danielolayinkas[.]com/content/nVgyRFrTE68Yd9s6/
  • https[:]//goodtech.cetxlabs[.]com/content/5MfZPgP06/
  • http[:]//visteme[.]mx/shop/wp-admin/PP/
Email Threat Review October 2021

Email Threat Review October 2021

by | Nov 16, 2021 | Threat Research

Executive Summary

  • This month, we saw a continuation of the large scale phishing attack against German banks that started at the end of last month.

Summary

In this installment of our monthly email threat review, we present an overview of the email-based threats observed in October 2021 and compare them to the previous month’s threats.

The report provides insights into:

Unwanted emails by category

The following table shows the distribution of unwanted emails per category.

Email category %
Rejected 80.92
Spam 13.50
Threat 4.68
AdvThreat 0.86
Content 0.03

The following time histogram shows the email volume per category per day.

Unwanted emails by category

The large spike in unwanted emails, around 2021-10-26, can be attributed to a monthly reoccurring sextortion scam email campaign.

Methodology

The listed email categories correspond to the email categories listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Content These emails have an invalid attachment. The administrators define in the Content Control module which attachments are invalid.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes, such as phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File types used in attacks

The following table shows the distribution of file types used in attacks.

File type (used in malicious emails) %
HTML 37.3
Archive 25.8
PDF 13.1
Excel 7.0
Disk image files 5.2
Other 4.2
Executable 3.4
Word 3.3
Powerpoint 0.4
Script file 0.1

Other file types not individually listed are email files (forwarded as .eml attachments), Windows desktop shortcut files (.lnk), Internet shortcut files (.url), Java Archive files (.jar), iCalendar files (.ics), vCard Files (.vcf), e-book file formats (.epub, .mobi), and many other even more exotic file formats. These are combined under “Other”.

The following time histogram shows the email volume per file type used in attacks per 7 days.

File types used in attacks

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails received (in median).

Industries Share of threat in threat and clean emails
Education industry 5.6
Healthcare industry 5.6
Manufacturing industry 5.5
Research industry 5.4
Automotive industry 4.8
Media industry 4.7
Construction industry 4.6
Utilities 4.4
Mining industry 4.1
Transport industry 4.0

The following bar chart visualizes the email-based threat posed to each industry.

Hornetsecurity Industry Email Threat Index

Methodology

Different (sized) organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Impersonated company brands and organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated brand or organization %
Sparkasse 47.4
Volks- und Raiffeisenbank 17.7
Other 6.9
Deutsche Post / DHL 5.8
Amazon 5.4
DocuSign 4.4
PayPal 2.4
UPS 2.1
LinkedIn 1.5
Fedex 1.5

The following histogram shows the email volume for company brands and organizations detected in impersonation attacks per hour.

Impersonated company brands

Here we see the continued impersonation of two German banking associations to spread phishing.

Ransomleaks

Threat actors continue to leak data stolen from ransomware victims to pressure them to pay for decrypting the files and not publishing sensible data. Our automated monitoring observed the following number of leaks on ransomware leak sites (not protected by CAPTCHAS):

Leak site Number of victim data leaks
Conti 65
Blackmatter 44
Pysa 27
Hive 8
Cuba 7
LV 6
REvil 4
Vice Society 4
Everest 3
Atomsilo 2
Bonaci 2
Xing Team 2
RansomEXX 1

The following bar chart visualizes the number of victim data leaks per leak site.

Ransomleaks

We add the following ransomware leak sites to our monitoring:

  • Atomsilo

Atomsilo leak site

  • Blackmatter

Blackmatter leak site

  • Bonaci

Bonaci leak site

On 2021-10-04, Europol announced two arrests and seven property searches in Ukraine in relation to a ransomware gang. Europol did not name the ransomware gang.1

On 2021-10-26, Europol announced action against 12 criminals involved with LockerGoga, MegaCortex and Dharma ransomware, among others.2

On 2021-10-29, the US Justice Department announced the extradition of a Russian national from South Korea to the US for its alleged role in Trickbot malware development and deployment.3

References

Email Threat Review October 2021

Email Threat Review September 2021

by | Oct 14, 2021 | Threat Research

Executive Summary

  • This month, large scale phishing attacks against two German banking associations (Sparkasse and Volksbanken und Raiffeisenbanken)

Summary

In this installment of our monthly email threat review, we present an overview of the email-based threats observed in September 2021 and compare them to the previous month’s threats.

The report provides insights into:

Unwanted emails by category

The following table shows the distribution of unwanted emails per category.

Email category %
Rejected 80.83
Spam 14.15
Threat 4.07
AdvThreat 0.91
Content 0.03

The following time histogram shows the email volume per category per day.

Unwanted emails by category

The spike in rejected emails around 2021-09-23 can be attributed to a monthly reoccurring sextortion scam email campaign written in the German language that we observe each month.

Methodology

The listed email categories correspond to the email categories listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Content These emails have an invalid attachment. The administrators define in the Content Control module which attachments are invalid.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes, such as phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File types used in attacks

The following table shows the distribution of file types used in attacks.

File type (used in malicious emails) %
HTML 37.2
Archive 28.8
PDF 11.3
Excel 6.4
Disk image files 4.6
Other 4.0
Word 3.7
Executable 3.5
Powerpoint 0.2
Script file 0.2

The following time histogram shows the email volume per file type used in attacks per 7 days.

File types used in attacks

We see the continuation of last month’s observation concerning the increase in HTML file attachments (.htm, .html, etc.) used in attacks. On closer analysis, the growth can be attributed to multiple campaigns using HTML files for phishing by having the phishing website attached directly to the email1 (thus circumventing URL filters). We already report on this technique in our blog.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails received (in median).

Industries Share of threat in threat and clean emails
Manufacturing industry 6.0
Research industry 5.7
Media industry 5.3
Healthcare industry 5.2
Automotive industry 5.1
Education industry 5.1
Transport industry 5.0
Construction industry 4.9
Mining industry 4.9
Retail industry 4.4

The following bar chart visualizes the email-based threat posed to each industry.

Hornetsecurity Industry Email Threat Index

We observe an overall increase in threat emails per clean email received for all industry sectors.

Methodology

Different (sized) organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Attack techniques

The following table shows the attack techniques used in attacks.

Attack technique %
Other 39.0
Phishing 29.1
Impersonation 10.3
URL 10.0
Advance-fee scam 3.5
Extortion 3.1
Executable in archive/disk-image 3.1
Maldoc 1.9

The following time histogram shows the email volume per attack technique used per hour.

Attack techniques

Impersonated company brands and organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated brand or organization %
Sparkasse 19.7
Volks- und Raiffeisenbank 15.0
Deutsche Post / DHL 13.5
DocuSign 12.5
Other 11.3
Amazon 8.9
PayPal 4.6
LinkedIn 1.9
Microsoft 1.7
UPS 1.3
HSBC 1.1

The following histogram shows the email volume for company brands and organizations detected in impersonation attacks per hour.

Impersonated company brands

There is a significant increase in campaigns impersonating the German banks Sparkasse and Volks- und Raiffeisenbank. We detected multiple different phishing email campaigns targeting these two German banks.

One example phishing email impersonating Sparkasse:

Sparkasse Phishing

One example phishing email impersonating Volks- und Raiffeisenbank:

VR-Bank Phishing

In all variants of the large-scale campaigns, the banks allegedly changed their (security) processes and the user needs to log in to confirm the change to retain access to their bank account.

Ransomleaks

Threat actors continue to leak data stolen from ransomware victims to pressure them to pay for decrypting the files and not publishing sensible data. We observed the following number of leaks on ransomware leak sites:

Leak site Number of victim data leaks
Conti 40
LockBit 2.0 34
Pysa 15
Everest 8
Vice Society 7
Hive 5
REvil 5
RansomEXX 3
Lorenz 1

The following bar chart visualizes the number of victim data leaks per leak site.

Ransomleaks

On 2021-09-16, an unnamed law enforcement agency obtained the decryption keys for the REvil ransomware and BitDefender released a decryptor.

On 2021-09-21, the Department of the Treasury’s Office of Foreign Assets Control’s (OFAC) added SUEX OTC, S.R.O. (SUEX), a virtual currency exchange, to its OFAC sanction list for its part in facilitating financial transactions for ransomware actors. Analysis of known SUEX transactions shows that over 40% of SUEX’s known transaction history is associated with illicit actors related to ransomware.2

This month LockBit 2.0 added a DDOS protection CAPTCHA to their site.

LockBit 2.0 DDOS protection

Cl0p ransomware has also added a CAPTCHA to their leak site, preventing automatic monitoring of announcements.

Cl0p CAPTCHA

Cl0p CAPTCHA

References

Email Threat Review October 2021

Email Threat Review August 2021

by | Sep 14, 2021 | Threat Research

Executive Summary

  • We observed an increase in HTML attachment-based phishing.

Summary

In this installment of our monthly email threat review, we present an overview of the email-based threats observed in August 2021 and compare them to the previous month’s threats.

The report provides insights into:

Unwanted emails by category

The following table shows the distribution of unwanted emails per category.

Email category %
Rejected 83.19
Spam 12.92
Threat 3.02
AdvThreat 0.83
Content 0.03

The following time histogram shows the email volume per category per day.

Unwanted emails by category

The spike in rejected emails around 2021-07-31 can be attributed to the monthly reoccurring sextortion scam email campaign written in the German language that regularly causes spikes in rejected emails.

Methodology

The listed email categories correspond to the email categories listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Content These emails have an invalid attachment. The administrators define in the Content Control module which attachments are invalid.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes, such as phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File types used in attacks

The following table shows the distribution of file types used in attacks.

File type (used in malicious emails) %
Archive 33.7
HTML 25.1
PDF 14.9
Excel 8.7
Word 5.1
Other 4.3
Executable 4.0
Disk image files 3.8
Script file 0.3
Powerpoint 0.1
Email 0.0
LNK file 0.0

The following time histogram shows the email volume per file type used in attacks per 7 days.

File types used in attacks

We can detect an increase of HTML file attachments (.htm, .html, etc.) used in attacks. On closer analysis, the increase can be attributed to multiple campaigns using HTML files for phishing by having the phishing website attached directly to the email1 (thus circumventing URL filters). We already report on this technique in our blog.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails received (in median).

Industries Share of threat in threat and clean emails
Manufacturing industry 4.3
Entertainment industry 3.7
Research industry 3.5
Media industry 3.4
Healthcare industry 3.4
Mining industry 3.3
Transport industry 3.3
Education industry 3.0
Hospitality industry 2.9
Automotive industry 2.8

The following bar chart visualizes the email-based threat posed to each industry.

Hornetsecurity Industry Email Threat Index

Methodology

Different (sized) organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Attack techniques

The following table shows the attack techniques used in attacks.

Attack technique %
Other 40.2
Phishing 27.8
URL 11.2
Impersonation 5.8
Advance-fee scam 4.8
Executable in archive/disk-image 4.0
Extortion 3.7
Maldoc 2.4
LNK 0.0

The following time histogram shows the email volume per attack technique used per hour.

Attack techniques

The increase in malicious documents at the end of the month can be attributed to backscatter from a Formbook malspam campaign spoofing the email address of one of our customers. Many of the bounce messages contained the malicious documents of the campaign and were detected by our filters.

Impersonated company brands and organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated brand or organization %
DocuSign 18.2
Deutsche Post / DHL 17.9
Other 16.8
Amazon 12.6
PayPal 10.0
Microsoft 2.8
Volks- und Raiffeisenbank 2.6
HSBC 2.0
LinkedIn 1.8
O2 1.4
Santander 1.1
Tesco 1.1

The following histogram shows the email volume for company brands and organizations detected in impersonation attacks per hour.

Impersonated company brands

It’s a constant stream of phishing and other attacks impersonating big brands and organizations to entice recipients to open the emails.

Ransomleaks

Threat actors continue to leak data stolen from ransomware victims to pressure them to pay for decrypting the files and not publishing sensible data. We observed the following number of leaks on ransomware leak sites:

Leak site Number of victim data leaks
LockBit 2.0 87
Conti 46
Hive 27
Pysa 16
Everest 5
Cuba 4
RansomEXX 4
LV 3
Vice Society 3
Lorenz 2
Cl0p 1
RagnarLocker 1
Suncrypt 1
Xing Team 1

The following bar chart visualizes the number of victim data leaks per leak site.

Ransomleaks

On 2021-08-12, the SynAck ransomware operation renamed itself to El_Cometa. Additionally, the decryption keys for the SynAck ransomware were released. 2 Our monitoring registered a total of 15 victims on SynAck’s leak site in June and Juli. The operation under the SynAck name was, therefore, rather short-lived.

According to reports3 the Ragnarok ransomware shut down its operation on 2021-08-27. Our monitoring saw the Ragnarok leak site last online on 2021-05-17. In total, the groups leak site published data of 22 victims. The operators behind the Ragnarok ransomware have also released a universal decryption key.

This practice of releasing decryption keys after shutting a ransomware operation down is widespread. It is likely an attempt by the threat actors behind the ransomware to cut all ties to the operation and allow victims to recover and remove reasons for victims and law enforcement to pursue the threat actors any longer. It also provides plausible deniability in case the threat actors are caught with the once-secret but now public and for everyone accessible decryption keys.

References

Email Threat Review October 2021

Email Threat Review July 2021

by | Aug 4, 2021 | Threat Research

Summary

In this installment of our monthly email threat review, we present an overview of the email-based threats observed in July 2021 and compare them to the previous month’s threats.

The report provides insights into:

Unwanted emails by category

The following table shows the distribution of unwanted emails per category.

Email category %
Rejected 84.05
Spam 11.99
Threat 3.02
AdvThreat 0.91
Content 0.03

The following time histogram shows the email volume per category per day.

Unwanted emails by category

The spike in rejected emails on 2021-07-30 can be attributed to the monthly reoccurring sextortion scam email campaign written in German that caused similar spikes in previous months.

Methodology

The listed email categories correspond to the email categories listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Content These emails have an invalid attachment. The administrators define in the Content Control module which attachments are invalid.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes, such as phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File types used in attacks

The following table shows the distribution of file types used in attacks.

File type (used in malicious emails) %
Archive 30.0
PDF 20.8
HTML 17.1
Executable 11.7
Excel 7.0
Word 5.4
Other 4.3
Disk image files 3.3
Script file 0.1
Powerpoint 0.1
Email 0.0
LNK file 0.0

The following time histogram shows the email volume per file type used in attacks per 7 days.

File types used in attacks

Here we see an increase in malicious Word documents being used in attacks. In the previous month, only 3.6 % of attacks used Word documents. Word documents used to be the dominant document format used in document-based attacks. However, in 2020 many threat actors switched to Excel documents using the old Excel 4.0 macro feature to execute malicious code, causing the number of malicious Word documents used in attacks to decrease. Security vendors significantly less detected Excel 4.0 macro attacks compared to VBA macro-based attacks. However, since Microsoft has added Excel 4.0 macro support to AMSI1 the increase in malicious Word documents could mean that threat actors may be considering switching back to using predominantly Word documents in their document-based attacks again instead of Excel documents.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to clean emails received (in median) by each industry.

Industries Share of threat in threat and clean emails
Research industry 4.3
Manufacturing industry 3.8
Agriculture industry 3.4
Transport industry 3.4
Education industry 3.2
Entertainment industry 3.1
Mining industry 3.1
Media industry 2.9
Hospitality industry 2.9
Healthcare industry 2.8

The following bar chart visualizes the email-based threat posed to each industry.

Hornetsecurity Industry Email Threat Index

For comparison last month’s email-based threat index bar chart:

Hornetsecurity Industry Email Threat Index

We observe a decrease in the overall email threat score.

Methodology

Different (sized) organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Attack techniques

The following table shows the attack techniques used in attacks.

Attack technique %
Other 53.2
Phishing 24.2
URL 8.1
Executable in archive/disk-image 4.7
Advance-fee scam 3.7
Extortion 2.8
Impersonation 2.2
Maldoc 1.1
LNK 0.0

The following time histogram shows the email volume per attack technique used per hour.

Attack techniques

There are no significant anomalies.

Impersonated company brands and organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated brand or organization %
DocuSign 20.5
PayPal 13.4
Deutsche Post / DHL 12.4
Amazon 11.7
LinkedIn 4.3
Microsoft 2.5
HSBC 2.2
Santander 2.2
O2 1.7
Volks- und Raiffeisenbank 1.6

The following histogram shows the email volume for company brands and organizations detected in impersonation attacks per hour.

Impersonated company brands

It’s a constant stream of phishing and other attacks impersonating big brands and organizations to entice recipients to open the emails.

Highlighted threat email campaigns

In this section, we want to highlight some malspam campaigns of prominent, well-known threat actors.

Please be advised that this does not contain all campaigns. The ranking, as well as volume figures, should therefore not be taken as a global ranking. We strive to expand this section of our reporting in the future.

The following time histogram shows the email volume for highlighted threat email campaigns per hour.

Highlighted threat email campaigns

Methodology

Hornetsecurity observes thousands of different threat email campaigns of varying threat actors ranging from very unsophisticated low-effort attacks to highly complex obfuscated attack schemes. Our highlighting includes only a subset of those threat email campaigns.

Ransomleaks

Threat actors continue to leak data stolen from ransomware victims to pressure them to pay for decrypting the files and not publishing sensible data. We observed the following number of leaks on ransomware leak sites:

Leak site Number of victim data leaks
LockBit 2.0 66
Conti 36
Hive 16
Synack 11
Lorenz 8
REvil 7
Everest 5
Promethous 5
Vice Society 4
Grief 3
RansomEXX 3
Cl0p 2
LV 2
RagnarLocker 2
Xing Team 2
Nephilim 1

The following bar chart visualizes the number of victim data leaks per leak site.

Ransomleaks

A new addition to our data set is the leak site of LockBit 2.0. The site has been up already in June, and the actors behind the site were looking for affiliates.

LockBit 2.0 leak site

It offered its potentials partners in crime a performance comparison of the LockBit 2.0 ransomware compared to other RaaS (ransomware-as-a-service) offerings.

LockBit 2.0 leak site

It also offered a comparison of transfer speeds for data exfiltration.

LockBit 2.0 leak site

Then on 2021-07-13, the leak site started posting data of victims.

LockBit 2.0 leak site

With 66 victims, LockBit 2.0 announced almost twice as many victims as Conti, the leak site with the second most victims this month.

 

References

Email Threat Review October 2021

Email Threat Review June 2021

by | Jul 14, 2021 | Threat Research

Summary

In this installment of our monthly email threat review, we present an overview of the email-based threats observed in June 2021 and compare them to the previous month’s threats.

The report provides insights into:

Unwanted emails by category

The following table shows the distribution of unwanted emails by category.

Email category %
Rejected 84.05
Spam 11.57
Threat 3.41
AdvThreat 0.94
Content 0.03

The following time histogram shows the email volume per category per day.

Unwanted emails by category

Around 2021-06-13, we registered a large spike in rejected emails. Based on a significant text overlap, we can attribute this to a German-language sextortion scam campaign we observed in previous months.

Sextortion campaign June 2021

As of writing, the campaign netted the criminals US$ 4,351 in BTC. Therefore the campaign is most likely profitable and thus will most likely return next month.

Methodology

The listed email categories correspond to the email categories listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Content These emails have an invalid attachment. The administrators define in the Content Control module which attachments are invalid.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes, such as phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File types used in attacks

The following table shows the distribution of file types used in attacks.

File type (used in malicious emails) %
Archive 29.0
HTML 16.9
PDF 15.0
Other 13.0
Executable 11.0
Excel 6.9
Disk image files 4.4
Word 3.6
Powerpoint 0.1
Email 0.0
Script file 0.0
LNK file 0.0

The following time histogram shows the email volume per file type used in attacks per 7 days.

File types used in attacks

Between 2021-06-07 and 2021-06-10, Hornetsecurity detected a rise in executable email attachments. We can attribute this to a malspam campaign containing a Nanocore RAT executable dropping Agent Tesla in an archive attached to the email.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to clean emails received (in median) by each industry.

Industries Share of threat in threat and clean emails
Transport industry 5.6
Research industry 5.4
Entertainment industry 4.7
Education industry 4.6
Manufacturing industry 4.5
Hospitality industry 3.9
Media industry 3.8
Healthcare industry 3.7
Retail industry 3.6
Unknown 3.4

The following bar chart visualizes the email-based threat posed to each industry.

Hornetsecurity Industry Email Threat Index

For comparison last month’s email-based threat index bar chart:

Hornetsecurity Industry Email Threat Index

Methodology

Different (sized) organizations receive a different absolute number of emails. Thus, we calculated the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values overall organizations within the same industry to form the industry’s final threat score.

Attack techniques

The following table shows the attack technique used in attacks.

Attack technique %
Other 50.8
Phishing 26.0
URL 9.4
Extortion 4.3
Executable in archive/disk-image 4.0
Advance-fee scam 2.4
Impersonation 2.2
Maldoc 1.0
LNK 0.0

The following time histogram shows the email volume per attack technique used per hour.

Attack techniques

Between 2021-06-07 and 2021-06-10, there were elevated levels of executables in archives. This is due to the campaign, as mentioned earlier, delivering Nanocore RAT as executable in an archive file (e.g., “.7z”, “.Zip”).

Impersonated company brands or organizations

The following table shows which company brands our systems detected most in impersonation attacks.

Impersonated brand or organization %
DocuSign 19.8
Other 15.9
Deutsche Post / DHL 15.7
Amazon 11.6
PayPal 8.6
LinkedIn 5.9
Microsoft 2.5
O2 2.1
HSBC 2.0
Santander 1.9

The following time histogram shows the email volume for company brands detected in impersonation attacks per hour.

Impersonated company brands

It’s a constant stream of phishing and other attacks impersonating big brands to entice recipients to open the emails.

Starting on 2021-06-07, we observed a large-scale phishing campaign impersonating LinkedIn.

LinkedIn phishing June 2021

Highlighted threat email campaigns

In this section, we want to highlight some malspam campaigns of prominent, well-known threat actors.

The following time histogram shows the email volume for highlighted threat email campaigns per hour.

Highlighted threat email campaigns

Please be advised that this does not contain all campaigns. The ranking, as well as volume figures, should therefore not be taken as a global ranking. We strive to expand this section of our reporting in the future.

While the Hancitor campaign overshadows all other campaigns w.r.t. to volume per hour, we can see that the QakBot malspam of botnet group tr we saw emerging last month has established itself as a reoccurring campaign. Such endless running campaigns are usually only observed by very low-quality malspam campaigns or by more sophisticated spammers such as the Emotet botnet. To this end, QakBot, as previously reported, uses email conversation thread hijacking.

Methodology

Hornetsecurity observes thousands of different threat email campaigns of varying threat actors ranging from very unsophisticated low-effort attacks to highly complex obfuscated attack schemes. Our highlighting includes only major sophisticated threat email campaigns.

Ransomleaks

Sophisticated threat actors exfiltrate confidential data from their victim’s networks. Exfiltrated data is then used as a method to pressure their victims into paying a ransom. If the victim does not pay the ransom, the confidential data is being published by the threat actors on so-called leak sites that are often only reachable through the TOR network. This trend continued in June. We observed the following number of leaks on ransomware leak sites:

Leak site Number of victim data leaks
Conti 66
Pysa 41
REvil 28
Promethous 22
Vice Society 14
Grief 11
Avaddon 10
Lorenz 8
Everest 7
RagnarLocker 6
Xing Team 5
Cl0p 4
Synack 4
LV 3
Hive 3
Cuba 3
RansomEXX 2
Suncrypt 1
MountLocker 1

The following bar chart visualizes the number of victim data leaks per leak site.

Ransomleaks

We added data collection for the following ransomware leak sites:

The leak site of the LV ransomware:

LV ransomware leak site

The LV ransomware re-purposes code of the REvil ransomware. The operators don’t seem to have access to REvil’s source code but have adapted an existing REvil ransomware binary by modifying strings in its binary code.1

The leak site of the Hive ransomware:

Hive ransomware leak site

The Hive ransomware seems to be a new ransomware strain.

The leak site of the Vice Society ransomware:

Vice Society ransomware leak site

Experts in the field of ransomware have concluded that Vice Society ransomware is identical to the HelloKitty ransomware.2

Special events

Because there have been several noteworthy events concerning the broader email threat landscape, we summarized them in this special section.

Avaddon ransomware releases decryption keys

On 2021-06-11, Avaddon released keys for over 2,934 victims.3 The Avaddon leak site listed only 186 victims that refused to pay the ransom. This means that Avaddon had 15-times more victims than published on their leak site. Under the assumption that the other ransomware operations have a similar ratio, the number of ransomware victims could be obtained by multiplying the number of victims on leak sites by 15.

Clop ransomware arrests

On 2021-06-16, the National Police of Ukraine announced they had arrested individuals suspected to have infected companies with the Clop ransomware.4 However, because the Clop ransomware operation continued running without interruption, it is assumed that the individuals arrested were only unimportant figures in the Clop ransomware operation, such as money mules, or sub-contractors.

We previously reported how the Clop ransomware is spread via malicious emails.

Gozi arrested

On 2021-06-29, the Office of the Attorney General of the Nation of Columbia has announced the arrest of one individual5 wanted by the U.S. since 20136 in connection with the Gozi malware. The individual operated a bulletproof host that helped cybercriminals distribute the Gozi malware and commit other cybercrimes, such as distributing malware including the Zeus Trojan and the SpyEye Trojan, initiating and executing distributed denial of service (DDoS) attacks, and transmitting spam.

TrickBot developer arrested

On 2021-06-15, the U.S. Department of Justice announced the arrest of a 55-year-old Latvian woman on multiple charges (19 counts of a 47-count indictment) for participating in the development of the TrickBot malware.7

We previously reported on how TrickBot is spread via malicious emails.

 

References