How to check if an email or a domain was used in Emotet attacks?

Pierluigi Paganini October 01, 2020

Cyber security firm launches a new service that allows users to check if an email domain or address was part of an Emotet spam campaign.

Experts worldwide warn about a surge in the Emotet activity, recently Microsoft along Italy and the Netherlands CERT/CSIRT agencies reported a significant increase of Emotet attacks targeting the private sector and public administration entities. Similar alerts were issued in the same period by Computer Emergency Response Teams (CERTs) in France, Japan, and New Zealand.

Emotet is a malware infection that spreads through spam emails containing malicious Word or Excel documents. When opened and macros are enabled, it will install the Emotet trojan on a victim’s computer.

The recent Emotet campaign uses spam messages with password-protected attachments.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. In the middle-August, the malware was employed in fresh COVID19-themed spam campaign

Recent spam campaigns used messages with malicious Word documents, or links to them, pretending to be an invoice, shipping information, COVID-19 information, resumes, financial documents, or scanned documents.

Emotet malware is also used to deliver other malicious code, such as Trickbot and QBot trojan or ransomware such as Conti (TrickBot) or ProLock (QBot).

Now I’m very happy to announce that the Italian cybersecurity company TG Soft launched a new service called Have I Been Emotet that allows users and organizations to check if a domain or email address was involved/targeted in Emotet spam campaigns.

TG Soft has monitored Emotet spam emails sent between August and September 23rd, 2020. The experts analyzed more than 700,000 outgoing emails and collected over 2.1 million email addresses.

The use of the service is very simple, the users have to provide a domain or email address, in turn, the platform will report how many times the email address or domain was used as the sender of an email or the recipient.

Querying the Have I Been Emotet service, the email address or domain can be marked as a SENDER (FAKE or REAL), as a RECIPIENT, or any combination of the three. A REAL SENDER suggests that the computer using this email account has been compromised and used to send out spam messages. A FAKE SENDER indicates that the email address provided by the users was compromised and used in spam campaigns. RECIPIENT indicates that the email address provided by the users was the recipient of an Emotet spam email. Watch out, the presence of an email address or domain that has been used as a recipient, does not necessarily mean that the user’s organization has been infected.

A recipient could have been infected in case it has opened the attachments used in the spam email and enabled macros.

If a domain was marked as a ‘REAL’ sender it is suggested to check if it has been compromised.

Let’s consider for example the mail shared by the Italian CSIRT in his alert, we can verify that the domain “pro-teca.com” was involved in Emotet campaigns monitored by TG Soft.

Emotet
have i been emotet
[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment