Heimdall News: Emotet Uses Encrypted Archive Formats

The current threat situation is shaped by the trojan Emotet. A striking feature of cyber attacks is that the attack patterns vary rapidly. This makes it difficult to specifically detect Emotet threats at all levels.

Very often emotet emails are used to distribute emotet Emails that either contain a contaminated Word document with macros or a link to a similar one. Another strategy of the attackers is to hide such corrupted Word files in encrypted archive formats. A central problem here is that classic malware scanners cannot decrypt and automatically examine the archive. To make it as “easy” as possible for the victim of the malware attack, the required password for decryption is included in the text of the Email (see examples). As a side effect, the attackers have the option of simply re-encrypting the same malware over and over again. Due to the constantly changing hash values, simple protection mechanisms can be overridden here.

Heimdall’s Watchful Eye

Based on the data collected during the Heimdall project, the NoSpamProxy experts can continuously monitor the threat situation and actively protect customers who are already participating in the Heimdall beta. A look at the sightings of encrypted zip archives provides the first suspicious hints at the threat:

NoSpamProxy-Heimdall-Operation-ZipLock-EncryptedZIPTotal-Last4Weeks

This graph shows the time course of views of encrypted zip archives. Here from 15.9.2020 a clearly increased emergence shows up. This trend becomes even clearer if you look at the attachments of inbound emails not processed by Level of Trust. Basically, it can be observed that a large proportion of malware comes from unknown communication partners. The corresponding time course speaks an even clearer language:

Emotet nutzt verschlüsselte Archivformate Grafik 2

It is obvious that the situation has changed significantly in the last two weeks. A close look at the corresponding metadata reveals a large part of these additional attachments to be suspicious. For example, there are a large number of suspicious file names with words frequently used in malware attacks, such as “IBAN”, “invoice” or “order”. Cryptolaemus also warns on Twitter about encrypted archives in conjunction with Emotet.

About mealybugs and ladybugs

The US company Symantec has established the term “Mealybug” for the actors behind the Trojan Emotet, which translated would be the mealy bug. The natural predators of mealybugs include ladybugs, and in Australia a special type of ladybug (Latin: Cryptolaemus montrouzieri) is bred and marketed. Thus, the name of the unofficial “Emotet Working Group” was born out of a worldwide collective of IT security experts* who together fight the emotet botnet and network via Twitter. The collected IoCs (Indicators of Compromise: daily updated indicators for emotet detection) from the Cryptolaemus team are consumed by Heimdall and are available in the Heimdall beta.

Optimise Existing Protection Through Optimal Configuration

All NoSpamProxy customers currently participating in the Heimdall beta are currently protected by Heimdall’s warnings in many cases. Nevertheless, it is highly recommended to configure the system locally in the best possible way to meet the current situation.

Check Password-Protected Files Carefully

In general, the best practice recommendation for encrypted content is not to deliver it without checking for spam, malware or policy violations. As described above, the danger with encrypted ZIP archives is currently very high due to the Emotet operation “Zip Lock”. Anyone who has not yet thought done so is well advised to define an approach to password-protected files for their company as soon as possible and to implement it accordingly in NoSpamProxy.

Since 2018, we strongly recommend to use a whitelisting approach for content filtering (keyword: Email firewall). Customers who have already implemented this may not need to take any action at all; this was not previously required in the workflow in the respective companies, for example when files were securely shared via the cloud or NoSpamProxy Larges Files.

Configuring content filters correctly

Since NoSpamProxy Version 13.1, the file type “Encrypted ZIP-compressed file” is explicitly available in the content filter. So it is possible to block these files first and upload them to the Web Portal. Only after manual approval by the administrator does the relevant attachment become available to the end user. Of course, it is also possible to create content filter entries that can differentiate between emails without trust (such as the current spam wave) and those from regular communication partners (which have been identified accordingly by Level of Trust).

Use Heimdall Now

The Heimdall action in NoSpamProxy collects and analyses metadata about emails and attachments. The goal: to build an even more powerful anti-malware intelligence that can detect and fend off attacks by spam and malware even faster and more purposefully. If you are interested in using the beta version of Heimdall, send an email with the subject “Heimdall activation” to NoSpamProxy support and attach a screenshot of your license details.