Emotet: the most detected malware during the first quarter of the year

Emotet: the most detected malware during the first quarter of the year

The latest global HP Wolf Security Threat Insights report highlights a 27% increase in the number of threats captured, including script-based malware, phishing via HTML smuggling or HTML smuggling, and persistent reinfection.

HP shows in his study that Emotet has risen 36 spots to become the most common malware family detected this quarter (representing 9% of all malware captured). One such campaign – targeting Japanese organizations and involving email thread hijacking (email thread hijacking) to trick recipients into infecting their PCs – was largely responsible for an 879% increase in .XLSM (Microsoft Excel) malware samples captured compared to the previous quarter.

In addition, HP Wolf Security experts have analyzed the latest techniques used by cybercriminals among which stand:

  • The invisible alternatives to malicious Microsoft Office documents are becoming more prevalent as macros begin to be removed: Since Microsoft began disabling macros, HP has seen an increase in non-Office-based formats, including malicious Java Archive files (+476%) and JavaScript files (+42%), compared to the previous quarter. These types of attacks are more difficult for organizations to defend against because detection rates for these types of files are often low, increasing the chances of infection.
  • HTML smuggling (HTML smuggling) is increasing: The average file size of HTML threats grew from 3KB to 12KB, indicating an increase in the use of HTML smuggling, a technique in which cybercriminals embed malware directly into HTML files to bypass web gateways. email and evade detection, before gaining access to and stealing critical financial information. Campaigns targeting banks have recently been seen Latin Americans and Africans.
  • “Two for One” malware campaign leads to multiple RAT-type infections (Remote Access Trojans): A Visual Basic script attack was found to be used to start a chain of attacks resulting in multiple infections on the same device, giving attackers persistent access to victim systems with VW0rm, NjRAT and AsyncRAT.

“Our Q1 data shows that this is by far the most activity we have seen from Emotet since the group was disrupted in early 2021, a clear sign that its operators are regrouping, regaining strength and investing in the growth of the botnet. Emotet was once described by CISA as one of the most destructive and costly malware to remediate and its operators often collaborate with ransomware groups, a pattern we can expect to continue. So its reappearance is bad news for businesses and the public sector alike,” explains Alex Holland, Principal Malware Analyst for the HP Wolf Security Threat Research Team at HP Inc. “Emotet has also continued to favor attacks with macros, perhaps to get hacks ahead of Microsoft’s April deadline, or simply because people still have macros enabled and can be tricked into clicking the wrong object.”

Results are based on data from many millions of endpoints running HP Wolf Security, tracking malware by opening risky tasks in isolated micro-virtual machines (micro-VMs) to protect the user and understand and capture the entire chain of infection attempts, mitigating threats that have escaped other security tools. Till the date, HP customers have clicked on more than 18 billion email attachments, web pages, and downloads with no violations reported. This data provides a unique insight into how malware is actually used by threat actors.

Other key findings of the report are:

  • 9% of threats had not been seen before at the time they were isolated, and 14% of isolated email malware had bypassed at least one email gateway scanner.
  • It took more than 3 days (79 hours), on average, to be hashed to other security tools.
  • 45% of malware isolated by HP Wolf Security were Office file formats.
  • The threats used 545 different malware families in their attempts to infect organizations, with Emotet, AgentTesla, and Nemucod being the top three.
  • A Microsoft Equation Editor exploit (CVE-2017-11882) accounted for 18% of all malicious samples captured.
  • 69% of detected malware was distributed via emailwhile web downloads were responsible for 18%. The most used attachments to distribute the malware were documents (29%), files (28%), executables (21%) and spreadsheets (20%).
  • The most commonly used attachments for sending malware were spreadsheets (33%), executables and scripts (29%), files (22%), and documents (11%).
  • The most common phishing scams were business transactions such as “Order”, “Payment”, “Purchase”, “Request” and “Invoice”.

“This quarter we have seen a significant 27% increase in the volume of threats captured by HP Wolf Security. As cybercriminals modify their approaches in response to changes in the IT landscape, the volume and variety of attacks continue to increaseand it becomes more difficult for conventional tools to detect attacks,” says Dr. Ian Pratt, Global Director of Security for Personal Systems at HP Inc. “With the rise in cases of alternative file extensions and the techniques being used To evade detection, organizations must reverse course and take a layered approach to endpoint security. By applying the principle of least privilege and isolating the most common threat vectors – from email, browsers or downloads – malware delivered via these vectors is harmless. This dramatically reduces organizations’ exposure to cyber threats.”


Please enter your comment!
Please enter your name here