Operation TA542: Emotet Resurfaces

Operation TA542

( 2 min read )

Operation TA542: Emotet Resurfaces

This botnet has been ping-ponging back and forth, claiming victims in large numbers and then vanishing. It had last surfaced around Christmas 2019, in the form of a VB Macro concealed under Fake Christmas Party Invites. It is none other than the Emotet botnet, a deadly trojan which had first appeared in the banking world. Towards the end of 2019, cyber analysts thought the botnet had gone for good. However, it has sprung back to life through Operation TA542. It is spreading rapidly through email spamming campaigns, as reported  by security researchers at Proofpoint.

What’s New About Operation TA542?

The operation took action on 13 January 2020 and mainly targeted pharma companies in the States, Canada, and Mexico. The initial wave came in the form of fraudulent emails. The criminals disguised the emails as SOC Reports which spell out the assessments of financial audits of a company. The email contains the report as a Word file attachment. The file, of course, contains malicious payload. MS Word has locked these files for editing. However, if you click the ‘enable editing’ option, a script offloads the malicious code onto your system.

Startlingly, though, this initial wave was just a testing ground. Very soon, the Emotet had spread across several victims sprawled across North America, Europe, South East Asia and Australia. The phishers also adjusted the language and wording of the emails per the region of targeting. Very smartly, they adapted to the mannerisms that would feel natural to the respective demographic. In the second wave, the target industry also branched from pharmacy to other sectors. Since SOC reports are common to all businesses, the ruse appeared not to have changed.

“Emotet is one of the world’s most disruptive threats and organizations worldwide should take its return seriously. They have a massive sending infrastructure – nobody hits volumes like they do.”

-Sherrod DeGrippo, senior director of threat research and detection at Proofpoint.

According to Sherrod, Operation TA542 is about smart, deceitful work rather than hard work. The threat actors are sharp, and even took a 150-day break before striking at Christmas in 2019. While other threat actors work continuously to widen their victim pool, Emotet’s burst-attack mode seems to be even more effective.  Goes to show how slippery it really is.

It’s self-sustaining mode of contagion indicates that it will surely strike again. Most probably when people are least expecting it.

What do I do?

Proofpoint Security is emphasizing on full-proof email security as the only way to protect yourself against the Emotet. Nip it in the bud, as the saying goes.

“It’s important security teams continue to secure their email channel and educate users regarding the increased risks associated with email attachments.” said DeGrippo.

We have been stressing the importance of email security as well. Our Cloud Email ATP service accurately detects email-borne threats such as Ransomware, BEC, Domain Spoofing, Advanced Malware, Spear Phishing & Display Name Spoofing. You can read all about our offerings on our Email ATP Service Page. With our systems in place, nothing slips through the cracks.

Leave a Reply

Your email address will not be published. Required fields are marked *