TAG cybersecurity experts: The breadth of targets in those campaigns stands in contrast to many government-backed operations.
Palo Alto Networks: Cybercrime is spreading Emotet through SMEs compromised domains across APAC. Malware variants are distributed primarily due to lack of updating and patching the web servers. Then, thanks to WordPress vulnerabilities
A large number of vulnerable servers of small and mid-size enterprises (SMEs) across APAC are being exploited by Emotet actors to distribute malware variants. It has been discovered by Palo Alto Networks cyber security experts. This primarily due to lack of updating and patching their web servers. Additionally, researchers found that the majority of these compromised domains are running the WordPress blogging software. An important aspect to the overall campaign modus operandi, is the use of compromised legitimate domains to host and distribute the malware delivery docs and executables. Looking at the compromised domains, the majority of them are SMEs with legitimate businesses. Little or medium organizations often don’t update or patch their web servers, likely due to their limited resources. This allows cybercrime to exploit the server-side vulnerabilities and host the variants that are then delivered via http links, embedded in the malspam campaigns.
The cyber security experts: There is a clear increase in APAC distribution servers used by the cybercrime since early 2019
The cyber security experts, extracting all APAC related domains involved in the spreading of Emotet malware since January 2019, can see a clear increase in distribution servers used by the malware actors since early 2019. The banking trojan cybercrime malspam campaigns went dark towards the end of May, but it is important to note that the number of distribution servers used during the month was significantly higher than previous ones, which may imply that the actors intended to grow their botnet and also possibly profit as much as possible before they took a break. Drilling down to country-specific domains, researchers can discern some interesting insights into the most affected countries. The top ones are Vietnam, India, Indonesia, Australia, China and Japan, followed by several ASEAN nations.
The banking trojan spreads also thanks to WordPress vulnerabilities
Palo Alto Network data reveals a large number of vulnerable servers across APAC are exploited by Emotet actors to distribute variants. It also indicates that a large number of SME’s fail to perform best practices, like patching their systems on a regular basis, resulting in them being exploited and becoming a critical part of the overall success of the cybercrime campaign. Cyber security experts underline that it is important to note that the majority of the compromised domains are running the WordPress blogging software. This thanks to the high number of vulnerabilities that have been disclosed in the blogging platform.