Pierluigi Paganini July 18, 2020

After months of inactivity, the infamous Emotet trojan has surged back with a new massive spam campaign targeting users worldwide.

The notorious Emotet went into the dark since February 2020, but now has surged back with a new massive spam campaign targeting users worldwide.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542.

In 2019, security experts haven’t detected any activity associated with Emotet since early April, when researchers at Trend Micro have uncovered a malware campaign distributing a new Emotet Trojan variant that compromises devices and uses them as Proxy C2 servers.

Emotet re-appeared on the threat landscape in August 2019, with an active spam distribution campaign. At the time, Malwarebytes observed the Trojan started pumping out spam, spam messages initially targeted users in Germany, Poland and Italy, and also the US. The campaign continues targeting users in Austria, Switzerland, Spain, the United Kingdom, and the United States.

Emotet is considered by security experts as one of the most active botnet of 2019,

“Today, Emotet suddenly surged back to life with reply-chain, shipping, payment, and invoice spam that deliver malicious Word documents spreadsheets.” states BleepingComputer.

Malware researchers Joseph Roosen confirmed that limited activity associate with the botnet was observed earlier this week, botnet operators were using weaponized documents employing old URLs.

Roosen added that the Emotet botnet is now spewing forth massive amounts of spam employing new URLs pointing to compromised WordPress sites.

According to researchers from Confense Labs, most of the recent spam messages are using email with a subject of ‘Jobs GO,’ and a few of them are using a ”Expedia Payment Remittance Advice”  or requests for W-9 templates.

Other samples analyzed by the researchers use bait documents that pose as a shipping document from Loomis-express.com.

Researchers from Cryptolaemus, a group of experts focused on analyzing Emotet, also confirmed Emotet’s resurrection. Other research groups also observed a surge back of the botnet:

Researchers from MalwareBytes also published a post containing details of the Emotet activity recently observed.

“It was never a question of “if” but “when”. After five months of absence, the dreaded Emotet has returned. Following several false alarms over the last few weeks, a spam campaign was first spotted on July 13 showing signs of a likely comeback.” reads the post published by MalwareBytes.

“The Emotet botnets started pushing malspam actively on Friday, July 17, using the same techniques as it employed previously. Malicious emails contain either a URL or an attachment.”

Upon enabling the macro, WMI launches PowerShell to retrieve the bot binary from one of the remote compromised websites.

The news that Emotet is back is alarming for security experts, the operators behind the threat used their botnet to deliver also other threats, for this reason, it is very important to share any info related to recent attacks to prevent them from targeting organizations worldwide.

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]