Editorial Note: The article is based on the findings of Palo Alto Networks threat intelligence arm, Unit 42’s report available here.
Palo Alto Networks threat intelligence arm, Unit 42, has released a report detailing the recent movements of Emotet, a malware that infects computer systems globally through its mass campaigns of spam email that delivers malware.
Initially designed to help steal financial data, Emotet has since evolved to a malware loader with modular functionalities. This means that Emotet operators are now able to install additional malware onto infected machines and even offer their botnet as “Malware-as-a-Service” to other cyber-criminal gangs.
According to Unit42's report, a large number of vulnerable servers belonging to SMEs across the APAC region are being exploited by Emotet actors to distribute Emotet variants. It is important to note that this exploitation is made possible primarily due to poor cybersecurity hygiene on the part of these SMEs, such as failing to update and patch their web servers regularly.
With SME’s websites being exploited at a high rate across APAC and being leveraged as malware distribution servers, Unit42 was interested in looking at the APAC regional numbers specifically for Emotet distribution. Narrowing down per regional country also helps in response efforts with associated national CERTs.
Vietnam is the top affected country in the region, with a huge number of infected systems followed by India and Indonesia. Interestingly, the rest of the Asian countries are not far behind as well, meaning SMEs there are still vulnerable to this.
The research revealed that despite the Emotet malspam campaigns going dark towards the end of May, a large number of vulnerable servers of small and mid-size enterprises (SMEs) across APAC (primarily Vietnam, India, Indonesia, Australia, China and Japan) are now being exploited by Emotet actors to distribute Emotet variants, primarily due to lack of updating and patching their web servers. Additionally, Unit42 found that the majority of these compromised domains are running the WordPress blogging software.
The report stated the overall Emotet campaign modus operandi is the use of compromised legitimate domains to host and distribute the Emotet delivery docs and executables. Looking at the compromised domains, Unit42 noted that the majority of the domains are SMEs with legitimate businesses. SME organisations often don’t update or patch their web servers, likely due to their limited resources. This allows cyber-criminals, like the Emotet actors, to exploit the server-side vulnerabilities and host the malicious Emotet variants that are then delivered via HTTP links, embedded in the malspam campaigns.
The actors first scan the internet for vulnerable web-servers, which are then exploited and used to host the malicious Emotet variants. The actors then proceed with their email spam campaigns with legitimate-looking themes to lure victims into clicking on the attached URL that downloads the Emotet delivery document or executable from the compromised domain hosting the malware. In the case of Emotet delivery documents, it typically includes a macro that then downloads and executes the Emotet payload, infecting the victim’s machine. Whereas in other cases, Emotet executables are downloaded directly from the compromised domains and infect the victim’s machine to join the wider Emotet botnet.
Unit 42’s data revealed a large number of vulnerable servers across APAC are exploited by Emotet actors to distribute Emotet variants. This data also indicates that a large number of SME’s fail to perform best practices, like patching their systems on a regular basis, resulting in them being exploited and becoming a critical part of the overall success of the Emotet campaign.
Also, the report highlighted that it is important to note that the majority of the compromised domains are running the WordPress blogging software. A quick search for WordPress vulnerabilities on vulnerability tracker sites, like “CVE Details”, shows the high number of vulnerabilities that have been disclosed for WordPress. A similar search on “Exploit-DB” also indicates the high number of exploits being published every month in the public domain, allowing anyone to reuse the exploits published.
While the understanding of Emotet actors exploiting vulnerable WordPress sites is not new to the security community, it is important to stress and highlight this again to raise the awareness for organisations to patch their web applications as soon as possible in order to deter threat actors like the Emotet gang from taking advantage of the vulnerabilities and avoid a more devastating impact.
Palo Alto Networks claim that their customers are protected from this threat. Their threat prevention platform detects Emotet malware with Wildfire while and simultaneously updating the ‘malware’ category within the PAN-DB URL filtering solution for compromised domains it has identified.