On Friday, July 17, many of us woke up to a bunch of new phishing emails. What happened over night? Well, like Sherrod DeGrippo from ProofPoint wrote, emotet returns after a 5 month hiatus. Emotet is a banking trojan that gains access to end user machines and steals their financial information such as login information and personal identifiable information (PII). This week, we met with Sherrod and discussed Emotet. As usual, we create an adversary emulation plan based on Cyber Threat Intelligence and then emulate it with SCYTHE. We share the emulation plan so the community can also emulate the Emotet campaign to test and improve people, process, and technology. Lastly, we discuss how to defend against Emotet, in this case, we cover training the end users by performing phishing simulations. We hope you enjoy it.
Cyber Threat Intelligence
This week, our Cyber Threat Intelligence comes from a company that is at the forefront of email security, ProofPoint. We interview Sherrod DeGrippo who wrote the article emotet returns after a 5 month hiatus to understand what Emotet is, how they operate, and how we can improve security. Here is this week’s interview:
We found a number of additional resources related to the latest Emotet campaign to pull out the Cyber Threat Intelligence:
- https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service
- https://arstechnica.com/information-technology/2020/07/destructive-emotet-botnet-returns-with-250k-strong-blast-of-toxic-email/
- https://www.bleepingcomputer.com/news/security/emotet-spam-trojan-surges-back-to-life-after-5-months-of-silence/
- https://www.zdnet.com/article/a-vigilante-is-sabotaging-the-emotet-botnet-by-replacing-malware-payloads-with-gifs/
An excellent resource to see replays of what occurs when someone falls for the phishing email and opens the emotet document is the site any.run. Here are a few for emotet:
- https://any.run/malware-trends/emotet
- https://app.any.run/tasks/a434f4f2-994b-4e53-99bf-955697e2aff1/
- https://app.any.run/tasks/876c3d4d-f46e-4ade-9f2c-3207c4baa82d/
Emotet has been around for a number of years and is tracked by MITRE ATT&CK. We can see the TTPs via the ATT&CK Navigator Layer created from the JSON in the SCYTHE Community Github.
Adversary Emulation Plan
Emotet works by spamming targets with business-related emails containing malicious Office documents that are either attached to the email or with a link to download the malicious file. If someone falls for the phishing email, opens the document, and enables macros, the Emotet malware will execute.
As usual, below is the adversary emulation profile for Emotet. The emulation plan can be downloaded from the SCYTHE Community Threats Github and imported to your SCYTHE instance.
Defend against Emotet
Defending against emotet and other phishing campaigns can be broken up by people, process, and technology. ProofPoint is an excellent technology solution to cut down and stop phishing and malicious emails from getting to users.
From a people and process perspective, user awareness training is one of the best defenses against phishing attacks like emotet campaigns. Creating a phishing simulation program involves coordination with a number of internal teams but at a high level:
- Create an email template that is used against the target organization
- Create a unique link per email address
- Send the emails to the target addresses
- Metrics: Clicked email (failed test); Reported email (passed test)
- If someone clicks on the email, they should get a message immediately informing them this was a test and with best practices of what to do next time
- People reporting the phishing email should have some sort of positive reinforcement
Conclusion
Emotet campaigns are back and ProofPoint was quick to catch it. We had a chat with Sherrod DeGrippo from ProofPoint and discussed the new campaign, phishing as a whole, emulating emotet, and how to defend against it. We created an adversary emulation plan and shared it on our Github. Lastly, we covered how to defend against phishing attacks by focusing on people, process, and technology. We hope you enjoyed it.
This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.
About SCYTHE
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io.
Comments