Emotet continues to bypass many email security products

Posted by   Martijn Grooten on   Nov 4, 2019

Emails with a malicious link or attachment form only a small minority of the spam that is sent every day. If it appears that such emails are more common than that, it is not just because such emails are potentially more damaging: we have repeatedly seen that they are far more likely to bypass email security products than ordinary spam.

This was no different in October, when we saw many emails bypass more than a third of the products in our test lab. Looking at the emails that were most often missed, one thing stood out: almost all of them delivered Emotet.

The notorious trojan, which came back from a summer hiatus in September, is best known for its ability to evade detection and as the stepping stone for some very damaging attacks. But Emotet's operators are also known to be very effective spammers.

In some campaigns they send emails as replies to previously sent legitimate emails, but in the last month the emails we saw simply used short, generic messages that would be hard to distinguish from legitimate emails. Crucially, they used compromised mail servers from which to send the emails, which in most cases allowed them to pass SPF and DKIM.

Another thing that contributes to the relatively low block rate of this and other malicious campaigns is the small size of the campaign: sending millions of copies of the same email hurts spammers more than it helps. In fact, Emotet's campaigns tend to be relatively large compared with others – some malware is sent in campaigns of as few as 25,000 emails. It is likely that some of the campaigns sent in October did not make it to our test lab but would have achieved even lower block rates.

This doesn't mean that every malicious spam campaign achieves low block rates: also in October we noticed a malware campaign targeting users in Italy spreading Ursnif. The emails were sent from compromised Italian home IP addresses and were not only blocked by every email security product in our test but also by almost all IP- and domain blocklists.

malspam_october2019_emotet.png malspam_october2019_ursnif.png

 Two malicious emails in Italian: Emotet (left) bypassed more than a third of email security products, while Ursnif (right) was blocked by all products.

For more details on Emotet, I recommend you consult the VB2019 paper by Sophos researcher Luca Nagy.

I will speak on the subject of malicious spam at Botconf in Bordeaux, France next month. Should you wish to have your email security product added to our test lab (and, optionally, have it certified by Virus Bulletin), please email vbtest@virusbulletin.com.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VB2019 paper: Spoofing in the reeds with Rietspoof

In a VB2019 paper Avast researchers Jan Sirmer, Luigino Camastra and Adolf Středa revealed full details of the Rietspoof malware. Today we publish their paper and the recording of the presentation given by Jan and Luigino in London.

New paper: Behind the scenes of GandCrab's operation

The GandCrab ransomware regularly updated itself to newer versions to stay ahead of decryptors released by security researchers, and regularly included taunts, jokes and references to security organizations in its code. In a new paper, the AhnLab…

VB2019 paper: King of the hill: nation-state counterintelligence for victim deconfliction

At VB2019 Juan Andres Guerrero-Saade looked at nation-state actors using threat intelligence for victim deconfliction. Today we publish both his paper and the recording of his presentation.

The VB2020 call for papers - how it works

With the VB2020 Call for Papers now open, we explain how the selection procedure works, which may help you during your abstract submission.

VB2019 presentation: Targeted attacks through ISPs

In 2019 we saw a rise in the number of targeted malware infections spread via ISPs and service providers. In a last-minute paper presented at VB2019 in London, Kaspersky researcher Denis Legezo discussed the details of a number of such cases. Today…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.