Threat Research

How Emotet flooded Japanese inboxes

Martin Chlumecky 27 Apr 2022

Avast’s telemetry data confirms a significant increase in Emotet botnet infection attempts in March 2022.

Emotet has evolved into a monetized botnet-as-a-service platform over time, designed to deploy other malware or run campaigns via pay-per-install (PPI) offers, where cybercriminals pay other cybercriminals with a botnet network of infected devices to spread their malware to the already infected devices. Therefore, Emotet's authors strive for the largest possible Emotet botnet.

Emotet is spread via phishing emails with malicious attachments. These emails often include an Excel attachment, where if opened, the recipient is encouraged to enable macros. Suppose the malicious macro-code is run. The code downloads and runs the Emotet payload. A victim's machine is registered in the Emote command and control (C&C) server, including basic information about the victim's computer, such as OS version, run processes, IP, and more. At this moment, the Emotet bot is ready to serve and periodically contacts C&C servers and asks for commands.

The Emotet bot can download other Emotet modules like the spam module I will describe in this blog post, launching additional phishing attacks to spread Emotet itself laterally. However, the main function is to offer its bots via PPI to deploy other malware for other cybercriminals.

In the wild, we monitored a few of the most deployed malware types infecting computers via Emotet. In most cases, the malware is banking trojans, stealers of browser stored passwords, and ransomware such as TrickBot, Qbot, Ursnif, and Ryuk.

Avast’s Mailpot targeted by Emotet

Avast’s mail honeypot, Mailpot, faced malicious emails spreading Emotet on a daily basis in March, as can be seen in the figure below. The graph shows an extreme increase in Emotet emails in the first and third weeks of March; specifically, 22,300 Emotet emails were received in March 2022 by Mailpot.


Avast’s mail honeypot, Mailpot, captured 22,300 emails in March 2022

Avast’s Mail Shield protects Japanese customers from increased attack attempts


565,000 malicious emails blocked by Avast’s Mail Shield in Japan, March 2022

According to Avast’s data, Japanese companies have been the main target of Emotet spam mails. The graph above shows the malicious activity Avast’s Mail Shield blocked from potentially infecting customers in Japan. We blocked 565,000 Emotet attack attempts in Japanese inboxes in March 2022.

There is a correlation between data from our Mailpot and Mail Shield. The Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) also reported an uptick in Emotet infections at the beginning of February 2022. 

In general, cybercriminals mainly target companies more than consumers’ inboxes, as companies house more valuable information. Given how Emotet spreads, which we will explain below, Japanese companies being highly targeted could be the result of one company being infected and the spreading of email malicious snowballing from there.

Malicious attachments in Japanese inboxes

Emotet is present in 58% of all email attachments our Mail Shield scanned in Japan in the month of March. Other similar malware included in attachments, such as AgentTesla, and FormBook, are present with low prevalence. It is therefore evident that the Japan Emotet campaign was dominant in March 2022. The malware distribution chart below shows the distribution of malicious attachments in Japanese inboxes. 

The attached file type chart below shows the Excel attachments were used in seven out of ten cases to spread Emotet via malicious macro-code and archived malicious executables to Japanese users in March 2022.


Japan malware distribution in Japan and types of malicious attachments, March 2022

The malicious Excel files attempt to deceive users into running a malicious macro under the pretext of unlocking the document. The attackers show the contents of the Excel files, blurred. Over the blurred content is an image designed to look like a pop-up window with a message that requests the user enable the contents of the documents; see the examples below. 

Microsoft Excel does not provide functionality like content locking/protecting. If you ever open a document like this, close it immediately! 

 


Examples of a phishing Excel attempting to trick people into enabling malicious macros

Japanese mailboxes flooded 

This new Emotet campaign has not only flooded Japanese inboxes with Emotet phishing emails, but also delivery failure emails - a side effect of the massive amount of emails sent by the Emotet botnet.

Attackers still use a well-known email spoofing technique, where they send emails that appear to come from someone they are not. The SMTP email protocol, used by nearly every email provider, does not validate email senders. The SMTP protocol (Simple Mail Transfer Protocol) is used to transfer emails between mail servers, and it cannot validate whether an email is legitimate or forged. The principle is very simple: the sender and recipient are text values in the protocol. Therefore, the attackers spoof these values to those that victims deem credible or know. 

Emotet collects email addresses and generates hundreds of thousands of emails per day, spoofing them to appear to come from the email addresses it collects from victims' inboxes. This helps further spread Emotet, as recipients might be more likely to open an attachment if the email looks like it came from someone they know and trust. And just because Emotet uses an email address, does not mean that the owner of that email address has been infected with Emotet. It just means someone they had correspondence with has been infected.

Some of these emails could not be delivered for various reasons, such as unknown or deactivated recipients. For these reasons, the undeliverable emails were returned to the senders; but the senders have been spoofed. The result is that the mailboxes of abused senders' emails are flooded with suspicious emails that have not been sent by them and they are not even infected with Emotet.

We identified 20 abused emails that received approximately 100,000 returned emails in March. These are examples of subject lines:

  • Undelivered Mail Returned to Sender
  • Mail delivery failed: returning message to sender
  • Delivery Failure Notification
  • Returned mail: see transcript for details

The devices sending out the spoofed emails


Mail server locations sending out spoofed emails according to Avast's Mailpot

The origin from where the spoofed Emotet emails were sent cannot be clearly identified. On the other hand, we have data from our Mailpot which can help us determine the location from which the emails are sent with some probability.

Most of the emails were sent from Vietnam during the quiet spam period between October 2021 and December 2021. A serious and steady increase of spam emails were sent from Brazilian mail servers in all three weeks of March 2022. There are a few peaks where emails were also sent from mail servers in Italy, Russia, India, and Vietnam, but these peaks may not be related to the Emotet spam. The map above animates spammers' mail servers for March and the period between October and December 2021 that were Emotet spam silent.

It should be noted that the mail servers we saw sending out spam can also be other bots such as home computers or poorly secured servers implementing an elementary and thin mail server intended only for sending emails.

How to tell if your device has been infected with Emotet

In general, malware, including Emotet, is designed to silently infiltrate victims’ computers and remain silent. There are a few signs indicating Emotet’s presence. However, these are not 100% reliable. If you suspect your computer has been infected with any type of malware, including Emotet, install an antivirus software, like Avast Free Antivirus to run a scan and remove the malware. Avast provides strong protection against all Emotet versions.

System registry

The first sign can be a record in the run key of the system registry. The run key defines programs that are executed after Windows startup.

The following command lists all run records for a current Windows user:

reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Right-click on the Start menu -> Select Run -> Type “cmd” -> Click OK -> write the command into the command line and press Enter.

If you see an output similar to the one in the screenshot below, it can indicate the presence of Emotet.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Lijpatsx.pft REG_SZ C:\Windows\SysWOW64\regsvr32.exe /s "C:\Users\<user-name>\AppData\Local\Dmzgkwgrljf\lijpatsx.pft"

You can see a random folder name and a filename including an extension;
namely Dmzgkwgrljf\lijpatsx.pft in this example.

If you follow the path from the registry, you can localize the Emotet executable in your file system.

New Windows service

Another hint that a computer may be infected with Emotet can be observed in the Windows Services Manager. Open the Services Manager by right-clicking on the Start menu -> Select Run -> Type “services.msc” -> Ok. Now, you can see a complete list of Windows services.

Emotet is usually represented by a service with a random name, as you can see in the screenshot below. Moreover, Emotet abuses a service description of a randomly selected Windows service that is legitime.


Emotet service visible in the Services Manager

If you click on the Emotet services and open the details dialog, you can see other indicators as shown in the screenshot below. Namely, the path to an executable that also contains a random folder name and a filename, but in the Windows System directory. The Emotet executable is run utilizing regsvr32.exe with silent switch ‘/s’.


Details of Emotet service from the Services Manager

Failed Emotext execution

The last way is actually to see if Emotet attempted to infect a computer, but was unsuccessful.

If the user enables the content of an infected Excel file, the malicious macro-code downloads the Emoted payload into the user directory located in C:\Users\<user-name>. A payload filename is a short filename with extension .ocx or .dll. Then the macro-code tries to load the payload using regsvr32.exe.

However, if the downloaded payload is not valid or corrupted for some reason, Emotet is not deployed, and the payload stays in the user directory. Therefore, you can see the payload file in the user directory, e.g., sei.ocx, dan.ocx, dwhn.dll, etc. In this case, the payload file usually contains an HTML file with a message that the download was unsuccessful.

The existence of the HTML file is a consequence of a blocked URL that has been suspended by a provider, and the Emotet payload was not already available. So, the response of downloading is only the HTML message.

Conclusion

Japan was under massive phishing attacks in March 2022, spreading Emotet malware in most cases. We cannot clearly determine the spammers' origin, but our Mailpot reports a significant increase of spam emails from Brazilian mail servers in the first three weeks of March. The Emotet malware was spread through Microsoft Excel files with malicious macro-code.

The attackers spoofed email headers and abused several Japanese companies as email senders. Thousands of spoofed emails were returned back to the victim's mailboxes as a side effect of the email spoofing technique. So, the victims' inboxes were flooded with emails that had not been sent from the victims' inboxes.

Therefore, to protect yourself, we strongly warn users against opening and enabling the contents of suspicious attachments even if the sender looks authentic and someone you trust.

If you received mail delivery failure emails from emails you did not send; please follow these instructions to send these suspicious emails to Avast Threat Labs. Thank you for helping us make the virtual space more secure!