Threat Source newsletter (May 5, 2022) — Emotet is using up all of its nine lives

By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

Emotet made headlines last week for being “back” after a major international law enforcement takedown last year. But I’m here to argue that Emotet never left, and honestly, I’m not sure it ever will.  

As Nick Biasini and I covered in a December episode of Talos Takes, these takedowns are always incredibly helpful and a show of strength among the international community. But it doesn’t mean they’re a final nail in the coffin.  

Nick pointed out to me in that Talos Takes that there weren’t any arrests associated with the takedown, so the operators were always still out there ready to come back. And we started seeing Emotet send spam again as soon as nine-ish months after the takedown announcement.  

“In this particular case, we saw a botnet disruption, more than anything else,” Nick said. 

So it really shouldn’t be a surprise to anyone that Emotet is re-loading again. It’s known to go on months-long breaks, usually picking up around major holidays or international events like Black Friday and Cyber Monday. 

I admittedly don’t know enough about the ins and outs of taking down a botnet to say if something like this could ever be permanent or if there ever really is a way to truly end it for good. But if Emotet goes quiet for another few months and then magically pops up again in September, no one should be surprised. 

Take Silk Road, an infamous dark website for drug trade, needed three international takedown efforts over two years to truly shut down the site and stop any predecessors from popping up, even after its initial founder was arrested. 

As all these threats have shown us, as defenders, we can never let our guard down that a threat is ever truly gone no matter how impressive a press release sounds.  

The one big thing 

Our researchers recently studied a trove of leaked chat logs between the Conti and Hive ransomware operators and their victims. From them, we learned more about how the groups choose their victims, how a triple-extortion attempt usually goes down and more about the inner workings of these actors. In our latest research paper, we run through these findings and provide a look into these chats so other security researchers and potential targets can be more prepared to fight these groups and spot their weaknesses.  

Why do I care? 

The chats we studied are completely new from the Conti leaks from earlier this year, so we continue to learn more about this group as time goes on. For starters, victims should take away from this research that if the plan is to pay the ransom, never take the actor’s first offer, they almost always reduce their asking price over time. We now know more about these groups’ negotiating tactics, which can be helpful for anyone who may be a future target or victim of these groups.  

So now what? 

Pretty much the same as always if the goal is to never be hit with one of these ransomware attacks. This is a reminder to all organizations to implement a strong patch management system and keep all systems up to date. Organizations should also perform general system hardening that includes removing services or protocols running on endpoints where they are unnecessary. 

 

Other newsy nuggets 

For many years, Russia was viewed as off-limits for cyber attacks over the risk of potential retaliation. But after the country’s invasion of Ukraine, the floodgates have opened to hactivists and volunteers who are hitting the country’s networks at an unprecedented rate. Even some ransomware groups have gotten in on the action. Even early in the invasion, Russia suffered a major setback because actors in Belarus disrupted the country’s railway system that was still relying on Windows XP, slowing down Russia’s supply lines and potentially staving off an invasion of Kyiv, the country’s capital. (Washington Post, Wired, ComputerWorld) 

Users can now opt-out of having their personal information appear in Google search results. The search engine recently loosened its policies on this opt-out. Previously, users had to show a threat of doxxing or other harm that could come to them should something like their phone number, address or email show up when you searched their name. Now, the company says people can ask for their information to be removed even if there is no clear risk. This is not a catch-all step to protecting your identity online, but it’s a solid start for anyone looking to be more privacy-conscious. (NPR, CNET) 

A Chinese state-sponsored actor has been snooping on more than 30 major companies’ networks for more than two years to steal intellectual property. Security researchers say the APT41 threat actor used what they dubbed "Operation Cuckoo Bees” to steal trillions of dollars' worth of everything from engineering blueprints to experimental diabetes treatments and solar panel designs. As of this week, the campaign is still ongoing. (SC Magazine, CBS News) 

Can’t get enough Talos? 

• Talos Takes Ep. #94: Everything you need to know about the BlackCat ransomware group
• Vulnerability Spotlight: Two vulnerabilities in Accusoft ImageGear could lead to DoS, arbitrary free
• Threat Roundup for April 22 - April 29

Upcoming events where you can find Talos 

RSA 2022 (June 6 – 9, 2022)
San Francisco, California 

Cisco Live U.S. (June 12 – 16, 2022)
Las Vegas, Nevada 

Most prevalent malware files from Talos telemetry over the past week  

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa 
MD5: df11b3105df8d7c70e7b501e210e3cc3 
Typical Filename: DOC001.exe 
Claimed Product: N/A 
Detection Name: Win.Worm.Coinminer::1201 

SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1    
MD5: 3e10a74a7613d1cae4b9749d7ec93515
Typical Filename: IMG001.exe    
Claimed Product: N/A    
Detection Name: Win.Dropper.Coinminer::1201 

SHA 256: 1b94aaa71618d4ecba665130ae54ef38b17794157123675b24641dc85a379426  
MD5: a841c3d335907ba5ec4c2e070be1df53  
Typical Filename: chip 1-click installer.exe  
Claimed Product: chip 1-click installer   
Detection Name: Win.Trojan.Generic::ptp.cam  

SHA 256: 7cfdf65b1f93bd600a4e7cadbcfeccc634d0c34b5b098740af1cf2afa7c64b97   
MD5: 258e7698054fc8eaf934c7e03fc96e9e   
Typical Filename: samsungfrp2021.exe   
Claimed Product: N/A   
Detection Name: W32.7CFDF65B1F-85.TPD2.RET.SBX.TG34