Thwarting Emotet email conversation thread hijacking with clustering

Wednesday 2 October 15:00 - 15:30, Red room

Pierre-Luc Vaudry (ZEROSPAM Security)
Olivier Coutu (ZEROSPAM Security)

In spring 2019, the Emotet trojan began using old email conversation threads siphoned from infected hosts to propagate. Attacker-controlled servers would send emails that were spoofed to appear as a continuation of these threads to the contacts involved. These emails would contain a malicious URL or attachment containing the trojan.

This method of propagating malware was first reported in 2017 and our nodes first saw traces of it in April 2018. We had noticed some emails that had been taken out of quarantine by users and that looked like unrelated legitimate mail. On closer examination, these emails turned out to be malware‑carrying.

As these propagating messages were sent in waves of increasing volume, like most spam email, the waves of messages became detectable by applying clustering techniques to the email flow. These emails could then be seen as part of a larger malspam campaign. This appears to have happened for spreading Emotet on 2 August 2019, when several of our customers started receiving a sizeable number of emails with identically named attached files. One particular infected host had contacts with several of our customers and was the source of the first noticeable burst. While the trojan was unknown to our anti-virus, we were able to block part of it based on some of the emails containing executable file types. The intelligence provided by clustering enabled us to refine our filters further.

Because such a clustering-based campaign detection scheme can be useful in blocking a variety of malspam, the presentation will describe the steps needed to develop it. We will explain what characteristics of emails we found to be most relevant for clustering. We will share what clustering metric we use to evaluate clustering results. The automatic optimization of the combination of those characteristics from email metadata corpora will also be discussed.




Pierre-Luc Vaudry

Dr. Vaudry has been in charge of artificial intelligence R&D at ZEROSPAM Security Inc. since 2017. He obtained his Ph.D. from Université de Montréal in the same year with a thesis in the area of natural language processing. He holds university degrees in both computer science and linguistics. He has applied machine-learning techniques to both email classification and clustering as part of his current position.



Olivier Coutu

Olivier Coutu has been keeping up with the latest in malicious emails at ZEROSPAM since 2014 and coordinating the operations team since 2017. He received his B.Sc. in physics and his M.Sc. in computer science from Université de Montréal. He is currently collaborating with a team of researchers to apply the latest machine-learning algorithms to the practical aspects of email security.

   Download slides    Watch video

Back to VB2019 Programme page

Other VB2019 papers

Inside Magecart: the history behind the covert card-skimming assault on the e-commerce industry

Yonathan Klijnsma (RiskIQ)

Catch me if you can: detection of injection exploitation by validating query and API integrity

Abhishek Singh (Prismo Systems)
Ramesh Mani (Prismo Systems)

Spoofing in the reeds with Rietspoof

Jan Sirmer (Avast Software)
Luigino Camastra (Avast software)
Adolf Středa (Avast software)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.