Malspam, or malicious spam, is one of the most common and problematic attack vectors currently plaguing the cyber threat landscape. It is a very effective method for delivering emails in bulk that contain a phishing message directing victims to either click on an embedded link or download an infected attachment. Once opened, a hidden executable performs a malicious activity, such as downloading additional malware related modules in the background unannounced to the user.
Today, two of the most notorious spam-related botnets are TrickBot and Emotet. These were once considered banking trojans but have evolved over the years to become multipurpose malware downloaders offering spreading/dropping as a service. These downloaders are spread via Malspam campaigns and are often seen delivering third-party payload that ultimately results in a ransomware infection, which was a potential major threat for the election process in the United States this year.
After five months of silence from the botnet, Proofpoint published a blog detailing the return of Emotet. And, roughly four months after the return of Emotet, and one month prior to the 2020 U.S. election, researchers from Proofpoint once again discovered a timely adoption of political and election lures by the authors.
Proofpoint researchers report that TA542, the threat actors behind Emotet, historically have not directly leveraged political themes in their lures but on October 1st, Proofpoint researchers observed thousands of Emotet emails with the subject “Team Blew Take Action” sent to organizations in the United States. Furthermore, researchers discovered that this round of Malspam from Emotet delivered a second-stage payload containing Qbot and The Trick. Proofpoint believes that TA542 use of a politically themed lure is not driven by a specific political ideology or influence, but is designed to leverage in a current event to reach as many intended victims as possible.
Following the news of Emotet’s use of politically themed lures, on October 12th, Microsoft’s Defenders Team, NTT, Broadcom’s cyber-security division of Symantec, along with other companies and organizations, announced a coordinated and ongoing effort to disrupt Trickbot’s infrastructure. Through investigations and research, this alliance of tech companies was able to obtain a court order allowing them to legally do so.
To be clear, this operation was not designed to completely take down the botnet’s infrastructure. Rather, it was a coordinated legal effort designed to disrupt the threat actors during a critical moment. I think most of those involved with the disruption knew the authors behind TrickBot would rebuild their infrastructure and re-tool their capabilities, but something had to be done to counter the growing threat presented by TrickBot.
Outside of disruption, completely taking down TrickBot is a serious challenge. Because Trickbot is globally distributed and contains over 1 million infected devices, some of which include IoT devices, this presents a serious challenge when it comes to removing every infected device in a coordinated single action. Legally, the alliance of tech companies involved could only disrupt court-approved devices located in their jurisdictions, leaving infected devices unaffected in certain areas of the world. Because of TrickBot’s global distribution and rotation C2 IP address, disruption efforts are almost impossible since a malware server will always be online somewhere.
To further the issue and impact of Malspam during the election process in the United States, cybercriminals have been able to exploit election uncertainties since the U.S. did not converge on an instant or an uncontested result during the voting process. On November 4th, a day after the election, Malwarebytes Labs published a piece about social engineering and how threat actors are using the contested results as a lure to deliver the Qbot Trojan via Emotet. To note, this is not the first time we’ve seen Qbot or Emotet during the election process, but it demonstrates the threat actors’ ability to quickly leverage current events within hours for maximum impact.