In the last edition of our Quarterly Cyber Threat Intelligence Report, Infoblox brings into focus and provides insights into two major cyber threats that organisations should be aware of – Emotet and Omnatuor Malvertising Network.
EMOTET
Emotet is a notorious malware family that has evolved significantly over the years: from a simple banking trojan to a botnet to an infrastructure for content delivery. Infoblox has been monitoring Emotet and providing insights on its activity all along. Emotet has been around since 2014. It survived its January 2021 takedown by law enforcement agencies from the Netherlands, UK, and US and from Germany, France, Lithuania, Canada, and Ukraine. During the takedown, Emotet was offline for 11 months. The frequency of Emotet-related malspam campaigns increased from January to May 2022 as the malware authors changed techniques to evade Microsoft’s increasing countermeasures on VBA Macro security. The Max Planck Institute for Plasma Physics was attacked on 12 June 2022, and recent reports put Emotet back at the top of the list of malware families with impact that spans the globe. A consistent feature of Emotet has been its use of email as a delivery vector. Microsoft Office documents have been the attachments of choice, and Excel files have been the most prevalent of these documents.
Infoblox’s analysis indicates that the actors behind Emotet have made some attempts to protect the network from further takedowns. Perhaps unsurprisingly, the use of compromised websites and of email as a delivery vector has persisted, and this has enabled us to reliably identify and track Emotet’s activity. Infoblox’s view of the threat landscape affords a detailed understanding of not only the current prevalence of Emotet in malspam, but also of the location and services used in its infrastructure.
As our company continues to research and monitor Emotet’s behavior, it will provide protection by denying access to the compromised domains used to host the Emotet payload,
and it will offer vital, actionable intelligence on Emotet’s C&C infrastructure.
We recommend the following actions for protection from this kind of an attack:
- To mitigate the risk of infection from known threats, keep security software up to
date and patched. - Conduct security awareness training in the organisation. It is important for
everyone to be up to date with the latest techniques used by attackers to trick
users who receive malicious emails. - Enhance network perimeter security. 99% of successful attacks involve some
type of network communication. Having the right tools in place can help identify
and minimise the impact of a threat like Emotet before they cause damage
OMNATUOR MALVERTISING NETWORK – Hijacks Browser Settings to Spread Riskware
For some time, the Infoblox Threat Intelligence Group has been tracking a malvertising network (the “Omnatuor Malvertising Network”) that not only abuses push notifications, pop-ups, and redirects within a browser but continues to serve ads even after the user navigates away from the initial page. Omnatuor has been dismissed by the security community as adware, a label that implies the activity is largely a nuisance. This naive response underestimates the danger of the potential threat posed by malvertising in general, and the Omnatuor actor in particular. In addition to its ability to persist, the network delivers dangerous content.
The Omnatuor actor takes advantage of WordPress vulnerabilities and is effective at spreading riskware, spyware, and adware. It uses an extensive infrastructure and has a broad reach into networks across the globe. The Omnatuor domain has suspiciously high breadth and query volumes. An initial look into WHOIS data revealed the domain was created on 12 July 2021. Since being registered it was present in 45% to 48% of all customer networks and surpassed 50% at various times. Most networks contained tens, if not hundreds, of thousands of queries for the domain. From July 2021 to July 2022, we observed just over 25.4 million unique, resolved queries to omnatuor[.]com.
This campaign compromises vulnerable WordPress sites through embedded malicious JavaScript or PHP code. The code redirects users or otherwise forces them to view and click malvertisements via pop-ups and push notifications.
We recommend that users take the following preventive measures:
- Configure Infoblox’s RPZ feeds in firewalls. This can stop the actors’ attempts to connect at the DNS level, because all components described in this report (compromised websites, intermediary redirect domains, DDGA domains, and landing pages) require the DNS protocol. TIG detects these components daily and adds them to Infoblox’s RPZ feeds.
- To assist in blocking known malvertising efforts, leverage the GitHub repository of indicators associated with the Omnatuor Malvertising Network.32 Infoblox offers a sample of indicators in this article and will continue to update the GitHub repository as new indicators are discovered.
- Use an adblocker program, such as UBlock Origin. The adware is delivered via an inline script, and blocking only the domains and IP addresses at a firewall or DNS level will not stop push notifications, redirects, or pop-ups. Because the DNS query cannot be completed, the contents of those vectors will not load; however, the browsing experience will still be interrupted.
- Disable JavaScript entirely or use a web extension (such as NoScript) to enable JavaScript only on trusted sites.
Discussion about this post