The ongoing trade tensions between the United States and Canada, fueled by tariffs imposed by both the Trump administration and retaliatory measures from Prime Minister Trudeau, are poised to have far-reaching effects on numerous industries—including cybersecurity. Canadian cybersecurity firms offering Incident Response (IR), Digital Forensics, and SOC-as-a-Service are particularly vulnerable [...]
On January 27, 2021, news broke from Europol that a collaborative effort had effectively taken down and disrupted one of the most significant botnets in the past decade – Emotet. This global action and collaborative initiative incorporated authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada, and Ukraine, with international activity coordinated by Europol and Eurojust. Additional details on the effort can be found in the press release here.
In an effort to utilize our state of the art threat intelligence to create meaningful impact to our clients and users all over the world, we at Mjolnir Security have been tracking Emotet over the last two years as the infections spread worldwide. Our primary focus has been to learn about the attacker infrastructure as well as spread awareness, successfully notifying countless victims before they were hit by what generally comes next – Ransomware.
Our threat intelligence feeds, coupled with our live tracker available here: https://mjolnirsecurity.com/emotet-and-trickbot-tracker/ allowed us to share the beaconing of Emotet traffic to the general public who visited our website.
Live Emotet and Trickbot Tracker
Now that the decade of Emotet has come to an end we at Mjolnir decided to take our Emotet data and plot the beaconing traffic to identify potential trends in attacker activity. As part of this analysis, we specifically targeted the past 13 months and identified a pattern emerging. The plot below starts mapping activity just before the pandemic began to see if WFH (Work from home) had any causal relationship to attacker activity.
13 Months of Emotet
As you can see in the bar chart above, the year began very somber with only a few weeks surpassing 300k beacons. The first noticeable uptick in activity was in the week of April 9, 2020, with similar heightened activity continuing until the week of June 4, 2020, before dropping again. We were able to correlate this time period to the world’s largest lockdown, as almost everyone around the world was effectively working from home along with our attackers.
Each beaconing activity mapped above refers to an automated malicious message that the Emotet trojan was communicating back to its command and control (C2) servers.
In July, as the Emotet activity tapered off, there were several reports including one from ZDNet that mentioned in their post that the Emotet botnet was considered inactive for about five months, with indications that they had stopped their spam campaign. The activity outlined in the bar chart above during the hiatus shows that even when the active campaigns had stopped, the victims continued clicking on the same malware left behind by attackers and were infecting themselves.
As we can see, the graph then gradually peaks up as the spam campaign intensifies before dropping again at the tail end of November 2020. At this point in time, based on the data, it appears like the botnet operators decided to take a well-earned break after a year of mayhem and decided to enjoy their Christmas break. With a decent break, there was a rapid increase in attacker activity right after the new year, suggesting the attackers wanted to get back to work immediately.
When analyzing beacon activity for countries all over the world by comparing beacon activity at 2 points in time, current (_count) vs. previous week (Count_7 days), we see that most countries maintained the same number of beacons at both points in time:
Additionally, we at Mjolnir also conducted an analysis on what the past thirty days of activity look like and the graph below shows our results:
Each bar outlined in the bar graph above represents an hour of time and the spikes in early January show a very interesting pattern. The activities for the beaconing show that most of the activity tends to occur just before and after a weekend. During weekdays, we see that beacon activity tends to occur between 9am-5pm Eastern time, which suggests that the victims typically click on the malware and spam during their regular office hours.
As we continue to monitor and analyze our data, we will continue to share more interesting findings and see if we can form additional correlations. It may still be too early to talk about how many infections fall as the specific date of takedown is not clear, though we have seen a drop in Emotet email campaigns with our clients. We will continue to track, monitor, and share as Emotet beacon patterns change.
Zeus, ZeuS, or Zbot is a Trojan horse malware package that runs on various versions of Microsoft Windows. While it can be used to carry out many malicious and criminal ...