Microsoft, Italy and the Netherlands agencies warn of EMOTET campaigns

Pierluigi Paganini September 24, 2020

Experts worldwide warn about a surge in the Emotet activity, this time the alerts are from Microsoft, Italy and the Netherlands agencies.

Two weeks ago, cybersecurity agencies across Asia and Europe warned of Emotet spam campaigns targeting businesses in France, Japan, and New Zealand. The French national cyber-security agency published an alert to warn of a significant increase of Emotet attacks targeting the private sector and public administration entities in France. New Zealand’s Computer Emergency Response Team (CERT) also published a security alert warning of spam campaigns spreading the Emotet threat. Japan’s CERT (JPCERT/CC) also issued an alert to warn of a rapid increase in the number of domestic domain (.jp) email addresses that have been infected with the infamous malware and that can be employed in further spam campaigns.

Now agencies in Italy and the Netherlands, and researchers from Microsoft issued new alerts about the spike in Emotet activity.

The recent Emotet campaign uses spam messages with password-protected attachments, experts noticed a decline in infections over the weekend, a behavior already observed in the past.

“Emotet malware is distributed via e-mails that contain .docx files containing malicious macros as an attachment. Additional malware is downloaded and installed when running these macros. This malware can install all kinds of additional malware on systems after activating the malicious macro.” states the advisory published by The Netherlands National Cyber Security Center.”One of the characteristics of the malware is that the victim’s address book is used to steal email addresses that are then used for further spam emails.”

The Italian CSIRT is warning of a malspam campaign that delivers the infamous malware. According to the Italian Agency, the spam messages have no text, with the exception of a fictitious name and password (“Archive password: 81301”), which is required to open the protected (ZIP) archive.

“Within the aforementioned attachment there is a Word file which, once opened, requires the victim to enable the macro; the latter starts the execution of PowerShell code: the resulting connections are aimed at downloading the Emotet malware.” states the Italian CSIRT’s alert.


The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. In the middle-August, the malware was employed in fresh COVID19-themed spam campaign

Recent spam campaigns used messages with malicious Word documents, or links to them, pretending to be an invoice, shipping information, COVID-19 information, resumes, financial documents, or scanned documents.

Emotet malware is also used to deliver other malicious code, such as Trickbot and QBot trojan or ransomware such as Conti (TrickBot) or ProLock (QBot).

Security experts pointed out that Emotet gang also sells access to these infected networks to other cybercrime organizations, such as ransomware operators.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Emotet)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment