Cybersecurity organizations fight back against rise of emotet and omnatuor malvertising

Malicious threats continue to evade detection and spread rapidly through networks. This is especially true for emotet and omnatuor malware, which has raised increasing concern in the cybersecurity community. 

These malware can be delivered via email, social media and even legitimate websites that attackers have compromised. Once installed, they can steal sensitive information such as login credentials and financial information. Additionally, the attackers often use infected computers to launch further attacks, making it difficult for organizations to contain the damage. 

But over time, these attacks have evolved into a far more sophisticated and dangerous threat, highlighting the need for organizations to be vigilant and proactive. More than ever, businesses and organizations must keep pace and implement robust security measures to protect against rising threats.

From banking trojan to malware-as-a-service

Emotet, a modular banking Trojan, first emerged in 2014 and has since evolved into a sophisticated and dangerous threat. Emotet is a malware-as-a-service delivered via malicious scripts, links or macro-enabled document files. The malware is known for its ability to retrieve payloads from command and control servers, enabling it to install updated versions of the virus and dumping stolen information, such as credit card numbers and email addresses. In addition, emotet has been used as a delivery mechanism for other malware, including the omnatuor malvertising campaign. 

In January 2021, emotet took a significant blow as law enforcement agencies from the Netherlands, the UK, the U.S., Germany, France, Lithuania, Canada and Ukraine conducted a coordinated takedown of the notorious malware. Despite this setback, emotet has managed to stage a comeback, with its authors adapting their techniques to evade Microsoft’s growing countermeasures on VBA Macro security. 

Following 11 months of inactivity, reports of emotet-related malspam campaigns began to surge in the first half of 2022. The high-profile attack on the Max Planck Institute for Plasma Physics on June 12th further underscored this resurgence. 

Believable, but costly, masquerades

Now, emotet’s ability to adapt and evade detection has again placed it at the top of the list of the most impactful malware families worldwide, making it a threat that organizations and individuals must take seriously.

“Since 2021, emotet didn’t change its core capabilities and code structure too much, except for moving to 64bit, but it did mature its infection flow each time to avoid detections,” said Mark Vaitzman, threat lab team leader at Deep Instinct. “During their last major campaign in November 2022, we witnessed a spike in emotet infection attempts in the wild. Emotet was detected deploying Quantum, BlackCat and Bumblebee. Therefore, it’s very profitable and might be used by affiliate programs of ransom groups that are currently very popular. Recently, we can see more new strains of info-stealers than any other malware type.”

One of the most insidious aspects of emotet is its ability to masquerade as a communication from a legitimate organization, and these emails often use familiar subjects such as “Account Alert,” “Invoice,” and “Automatic Billing Message” to trick users into thinking they are legitimate. Ploys include “email conversation thread hijacking,” where the trojan hijacks existing email conversations to infect the recipient, exploiting the trust already established with the sender.

“Attacks that focus on extracting credentials can be perilous, and when those credentials are static, users can be open to attack in many other applications other than just the attacked on,” Will LaSala, field CTO at identity security and solutions firm OneSpan told VentureBeat. 

Evolving tactics

According to LaSala, users targeted by emotet have had credentials heisted and used to create a synthetic identity to purchase large vehicles.

The attackers gathered credentials and personally identifiable information (PII) through a mobile malware-targeted app and combined details from many different users’ accounts to create a single account. The attacker could then turn around and use this account to purchase from an unsuspecting dealership. As a result, the number of users and organizations impacted were many — it wasn’t just a single attacker and a single victim.

Emotet also has worm-like capabilities that allow it to spread into connected computers and nearby Wi-Fi networks by stealing admin passwords. As a polymorphic malware, it can constantly change its identifiable features to evade detection. For example, if it detects that it is running inside a virtual machine or sandbox environment, it can adapt accordingly, such as lying dormant to avoid detection.

Additionally, emotet often installs a banking trojan called TrickBot, explicitly targeting Windows machines. TrickBot makes use of the Mimikatz tool to exploit the Windows EternalBlue vulnerability, which has been known to lead to further infections with the Ryuk ransomware, specifically designed to target enterprise environments. 

Considering all this, it’s clear that emotet is a highly sophisticated and ever-evolving threat that demands constant vigilance and robust security measures to defend against.

To prevent emotet attacks, LaSala recommends that organizations employ robust risk management tools with artificial intelligence (AI) and machine learning (ML) that can detect threats as they occur and ensure that applications can react to them.

Hijacking browser settings to spread riskware

Omnatuor is a malvertising campaign that uses malicious ads to deliver malware to unsuspecting users. The campaign was first discovered in 2019, and since then, it has been responsible for infecting thousands of computers worldwide. It uses a variety of tactics, including push notifications, pop-ups and redirects within a browser to deliver malware to unsuspecting users. 

Even more concerning is that omnatuor continues to serve ads, even after the user navigates away from the initial page. While some in the security community may dismiss omnatuor as mere adware, this label underestimates the potential danger posed by the campaign.

In addition to its ability to persist, omnatuor is known for delivering harmful content. The campaign took advantage of vulnerabilities in WordPress, embedding malicious JavaScript or PHP code. It is effective at spreading riskware, spyware and adware. Once the code is in place, it redirects users to malvertisements, which can take the form of pop-ups or push notifications. These malvertisements are designed to trick users into clicking on them, which can lead to the installation of malware or the theft of sensitive information. 

AI increasing risk

Patrick Boch, product manager for S/4HANA security at SAP, says that the current wave of malware attacks might be related to the rise of AI, more specifically ChatGPT. 

According to Boch, researchers have found that cybercriminals increasingly use ChatGPT to phrase content that is more convincing for an average user. “So, where previously a user could easily identify a phishing email or a fake advertisement by obvious language mistakes, those same messages are now harder to identify,” he said.

Boch pointed out that, while technology does its part by detecting, isolating and removing said malware, cybersecurity awareness is the most effective way to prevent it. 

“Both malware rely on some sort of interaction with the user to infect a network or system — minimizing this interaction by enabling people to recognize potential threats goes a long way in protecting against them,” Boch told VentureBeat.

Distributed workforce fosters new incursions

Unlike traditional cyberattacks based on network injection or software vulnerabilities, phishing-based malware such as emotet and omnatuor manipulates the human in the loop. 

Poojan Kumar, CEO and cofounder of data backup and recovery software-as-a-service (SaaS) platform Clumio, believes that the resurgence of emotet and omnatuor has been highly correlated with the rise of the distributed workforce. 

“As employees log in from personal devices, browsers, and clients, their corporate environments have become easier targets,” Kumar told VentureBeat.

CheckPoint Research also validates this, he said. The most affected industries today are government, finance, and manufacturing — highly centralized workforces that suddenly went remote and were unable to keep up their security hygiene.

Kumar said that the likes of emotet and omnatuor will become increasingly sophisticated in their ability to mimic contextual authenticity to trick users, and he cautions that this is a problem that cybersecurity alone cannot solve. 

“Some metrics and trends for CISOs to identify or look for include self-reported spam/phishing rates from employees to fine-tune email filtering, time to patch critical vulnerabilities and employee engagement on security-related comms,” he said.

To protect against emotet and omnatuor, it is important to keep software and security systems up-to-date and to be cautious when clicking on links or downloading files from unknown sources. Additionally, it’s crucial to have a robust backup and disaster recovery plan to minimize an attack’s impact. 

Organizations should also consider implementing advanced threat detection and response technologies, such as endpoint detection and response (EDR) and sandboxing. These technologies can help detect and block malware before it can cause harm. Additionally, security teams should be trained to recognize the signs of an attack and respond quickly to minimize the damage.

“While technology does its part by detecting, isolating and removing said malware, I believe the most effective way in prevention is cybersecurity awareness,” Boch told VentureBeat. “Both malware rely on interaction with the user to infect a network or system. Minimizing this interaction by enabling people to recognize potential threats goes a long way in protecting against them.”

Clumio, for instance, monitors and detects the presence of emotet and omnatuor malware. The platform utilizes a toolchain to detect and thwart malware attacks, including email filtering, network and firewall monitoring and log analytics from various sources. 

“To reduce the potential attack surface, we also try to use cloud apps wherever possible, rather than deploying applications locally,” he said. “We also ensure that vulnerabilities are monitored and patched as soon as possible.”

Variants of emotet and omnatuor lurk

LaSala predicts that new variants for both emotet and omnatuor should be expected in 2023, amalware variants typically evolve.

“Attack vectors beyond what is known today will be found tomorrow, and we can expect malware to exploit those holes quickly,” said LaSala. “Organizations should continue to be vigilant and implement tools to protect themselves as malware continues to grow and change.”

Likewise, Kumar expects phishing/spoofing to increase as a percentage of total attacks. 

“While cybersecurity tools have gotten more sophisticated, security hygiene hasn’t kept up,” Kumar explained. “With the advent of generative AI tools, we all need to be very wary of phishing attempts that could, at first glance, be indistinguishable from legitimate messages.”

He said CISOs and data leaders need to rethink security — bolstering their arsenal of cybersecurity and data protection with continuous engagement and education of employees.