11.07.22

Corvus Threat Intel

Emotet Malware (Back Again), Law Firm Impersonators, & Dropbox Breach

Return of Emotet malware, law firm impersonation, and a breach at Dropbox.


Emotet Malware Returns...Again 

Emotet, the storied malware family that just won’t quit, has returned to action after a months-long hiatus. This malware is spread through email by impersonating trusted companies, then tricking users into downloading files or clicking links. The emails typically contain a seemingly harmless attachment such as a Microsoft Excel or Word file which will quietly carry out a number of malicious activities when opened. Over time, the Emotet operators have grown their operation into a complex malware-as-a-service offering, where the malicious emails serve as a delivery mechanism for other malware or ransomware groups. After small beginnings in 2014, Emotet grew large enough to attract international law enforcement attention and was shut down in January 2021. Unfortunately, the reprieve was short-lived after Emotet returned just a few months later in November 2021. The Emotet operators are known to take a few months off from time to time before getting back to their business of being a delivery service for pernicious cybercrime.

Why This Matters

With its expansive infrastructure, Emotet is able to deliver malicious emails to unsuspecting users in astounding numbers. Only a few need to fall prey to keep large crime groups like ransomware gangs supplied with victims. Organizations can help mitigate this threat by training users not to open email attachments they weren’t expecting to receive and by keeping macros in Microsoft documents disabled. Endpoint Detection and Response (EDR) solutions can help prevent wider compromise if Emotet does find its way from a user’s inbox into a network.

Additional Information:


New Threat Actor Impersonates Law Firms and Collection Agencies for Payment Fraud 

Research by Abnormal Security reveals a new threat actor leveraging impersonation tactics to trick businesses into sending fraudulent payments. Dubbed Crimson Kingsnake, this group has been mimicking well-known law firms and debt collection agencies to trick accountants into paying fake invoices. Here’s how the typical attack works:

  1. The threat actor acquires a website domain closely resembling that of a well known law firm. This is called typosquatting. To mimic lawfirm.com the threat actor might create lawflrm.com – note the “l” instead of an “i”).
  2. The attacker creates an email address using the name of an attorney at the law firm they are impersonating, and places the company’s real address in the email signature.
  3. The threat actor sends an initial email to an accountant at a target company claiming to be chasing an unpaid invoice.
  4. Once the victim responds, the attacker sends payment details with a manufactured PDF invoice.

If Crimson Kingsnake is met with resistance, they will take on an additional persona as an executive at the targeted company. Now impersonating an executive, the group has been observed going one step further to authorize the questioning employee to make the fraudulent payment, often referencing having approved the services several months prior without a purchase order.

Why This Matters

Incidents such as these don’t garner the same attention as large ransomware or data theft cases, but fraudulent payments are a tricky threat. The extra lengths threat actors such as Crimson Kingsnake go to be convincing undoubtedly pays off. Organizations can help protect themselves through social engineering awareness training that includes an emphasis on detecting urgency in a requestor’s email. Whenever payments are involved, checks and balances should be applied, including verification for services rendered, payment information, and the requestor’s identity. A Secure Email Gateway (SEG) can also help prevent spam, phishing, and malicious emails from reaching employees in the first place. See our article here for more information on preventing this type of attack.

Additional Information:


Dropbox Discloses Breach after 130 Private Github Repos are Stolen

Cloud storage giant Dropbox disclosed that it was breached in October after a threat actor stole data from 130 of its GitHub code repositories. Attackers walked away with API keys, some modified code, as well as the names and email addresses of thousands of Dropbox employees, customers, sales leads, and vendors. Dropbox has stated that none of its users’ content, passwords, or payment information were accessed. The attack ultimately stemmed from a phishing attack impersonating the CircleCI devops integration platform and targeting Dropbox employees. This phishing attack led to a sign in page where employees entered their GitHub username, password, and hardware authentication key to pass a One Time Password (OTP) to a malicious site. Threat actors were then able to use this information to gain access to employee GitHub accounts. The intrusion was discovered when GitHub notified Dropbox of suspicious activity.

Why This Matters

 This is another example of how phishing and MFA bypass have proven effective, even against some of the biggest names in tech. Phishing campaigns can be particularly convincing especially when they are targeted. Phishing-resistant methods of MFA are becoming more of a need as threat actors find ways to bypass traditional MFA methods.

Additional Information:


This article and its contents are intended for general guidance and informational purposes only. This article is under no circumstances intended to be used or considered as specific insurance or information security advice.

[RELATED POST] Hive Ransomware, Holiday Phishing Scams, & Amazon RDS Leaks Data

Hive Ransomware, Holiday Phishing Scams, & Amazon RDS Leaks Data

Hive ransomware makes a profit, phishing for the holidays, and Amazon RDS leaks personal data.

[RELATED POST] Exploiting Zero Days, Citrix Vulnerability, and SEO Poisoning

Exploiting Zero Days, Citrix Vulnerability, and SEO Poisoning

Attackers are exploiting zero-days faster, Citrix vulnerability, and SEO poisoning attack.