Emotet continues to bypass many email security products

Posted by   Martijn Grooten on   Nov 4, 2019

Emails with a malicious link or attachment form only a small minority of the spam that is sent every day. If it appears that such emails are more common than that, it is not just because such emails are potentially more damaging: we have repeatedly seen that they are far more likely to bypass email security products than ordinary spam.

This was no different in October, when we saw many emails bypass more than a third of the products in our test lab. Looking at the emails that were most often missed, one thing stood out: almost all of them delivered Emotet.

The notorious trojan, which came back from a summer hiatus in September, is best known for its ability to evade detection and as the stepping stone for some very damaging attacks. But Emotet's operators are also known to be very effective spammers.

In some campaigns they send emails as replies to previously sent legitimate emails, but in the last month the emails we saw simply used short, generic messages that would be hard to distinguish from legitimate emails. Crucially, they used compromised mail servers from which to send the emails, which in most cases allowed them to pass SPF and DKIM.

Another thing that contributes to the relatively low block rate of this and other malicious campaigns is the small size of the campaign: sending millions of copies of the same email hurts spammers more than it helps. In fact, Emotet's campaigns tend to be relatively large compared with others – some malware is sent in campaigns of as few as 25,000 emails. It is likely that some of the campaigns sent in October did not make it to our test lab but would have achieved even lower block rates.

This doesn't mean that every malicious spam campaign achieves low block rates: also in October we noticed a malware campaign targeting users in Italy spreading Ursnif. The emails were sent from compromised Italian home IP addresses and were not only blocked by every email security product in our test but also by almost all IP- and domain blocklists.

malspam_october2019_emotet.png malspam_october2019_ursnif.png

 Two malicious emails in Italian: Emotet (left) bypassed more than a third of email security products, while Ursnif (right) was blocked by all products.

For more details on Emotet, I recommend you consult the VB2019 paper by Sophos researcher Luca Nagy.

I will speak on the subject of malicious spam at Botconf in Bordeaux, France next month. Should you wish to have your email security product added to our test lab (and, optionally, have it certified by Virus Bulletin), please email vbtest@virusbulletin.com.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VB2020 TIPS presentation: Intelligence Sharing for Supply Chain Security

As part of VB2020 localhost we were proud to co-host the Threat Intelligence Practitioners' Summmit (TIPS), put together by the Cyber Threat Alliance. In a series of blog posts we highlight some of the talks presented in the Summit and the important…

VB2020 localhost is over, but the content is still available to view!

VB2020 localhost - VB's first foray into the world of virtual conferences - took place last week, but you can still watch all the presentations.

New additions complete the VB2020 localhost programme

The programme for VB2020 localhost - the first virtual, and entirely free to attend VB conference - is now complete, with new additions to both the live programme and the on-demand programme.

VB2020 localhost call for last minute papers: a unique opportunity

Why VB2020 localhost presents a unique opportunity for you to share your research with security experts around the globe.

VB2020 localhost call for last-minute papers now open!

The call for last-minute papers for VB2020 localhost is now open. Submit before 17 August to have your paper considered for one of the nine slots reserved for 'hot' research!

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.