Emotet Threat Actors Use Technique to Bypass Email Controls

Over the past year, the Emotet trojan has been a prevalent cyber threat across New Jersey. The NJCCIC has received numerous reports regarding Emotet infections, often impacting the operations of affected organizations for weeks as a result. Emotet has now evolved to bypass the controls often recommended to defend against this threat. After a machine is infected, Emotet communicates with its command-and-control (C2) server, which then responds with instructions for a malspam campaign used for further distribution. Emotet uses spoofing to make associated emails appear as though they are sent by trusted contacts. To help identify malicious emails using spoofing, it is often recommended to implement DMARC (Domain-based Message Authentication, Reporting & Conformance), which is built on top of SPF (Sender Policy Framework) and DKIM (Domainkeys Identified Mail). In response, the threat actors behind Emotet campaigns found a way to circumvent DMARC controls via domain hijacking, the act of taking control of an existing domain in order to redirect traffic to a malicious site. Actors hijack domains with newly created subdomains called “_domainkey,” a subdomain essential to DKIM, and use this tactic to circumvent DMARC. More information on this technique can be found from Bleeping Computer here. The NJCCIC recommends spreading awareness of spoofed messages and the continued threat they pose in order to help reduce victimization by these emails when other defenses fail to block them. DMARC is still an effective control to reduce spoofed emails and organizations are advised to implement this protocol.

AlertNJCCICEmotet, email