Emotet Botnet Springs Back to Life with Massive Malspam Campaign

The Emotet botnet has sprung back to life after a 5-month break and is being used to send large volumes of spam emails containing malicious URLs and attachments. Emotet malware was the biggest malware threat in 2018 and 2019, but the botnet has been quiet for much of 2020.

The Emotet botnet often has periods of dormancy, before springing back to life and sending huge volumes of spam email. When Emotet went quiet in early 2020, it was not a case of whether malicious activity would resume, it was just a case of when that would be. Proofpoint reports that the last detection of Emotet emails was on February 7, 2020.

Emotet activity was detected on July 13, 2020 when the first few test emails were sent, before the campaign started in earnest on July 17. Around 250,000 emails are now being sent per day.

Emotet malware is delivered via email, most commonly using malicious macros in Excel spreadsheets and Word documents. When the email attachment is opened and macros are enabled, Emotet malware is downloaded from a remote, compromised website – often WordPress sites – using PowerShell. When Emotet is downloaded, the infected device is added to the Emotet botnet and is turned into a zombie spamming machine.

Emotet malware can steal sensitive information, such as usernames and passwords and emails. Emotet malware is also a malware downloader and is used to download other malware variants, commonly TrickBot and other banking Trojans. Trickbot is also a malware downloader and has previously been used to download Ryuk ransomware.

Initially, users in the United States and United Kingdom were targeted, but the campaign is now truly global, with users in all geographic regions being targeted.

The latest campaign uses similar tactics to previous campaigns. Emails masquerade as purchase orders, receipts, invoices, payment advice notices, and shipping notices. The emails are often personalized, and a common tactic is to insert a reply into an existing email thread to make it appear that the email is a genuine reply from a known contact.

The discovery of Emotet on a device should be treated with the same urgency as a ransomware attack. The device should be isolated, and investigations conducted to identify other devices that may have been compromised. Removing Emotet can be a major challenge, as the malware can propagate and infect other devices on the network. When one device is cleaned it can easily be reinjected by other devices on the network.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news