In January 2021, the infamous Emotet botnet was shut down following an international law enforcement operation coordinated by Europol and Eurojust. Emotet started life as a banking Trojan and was first detected in 2014. Over the years the malware evolved into a powerful tool that was offered under the malware-as-a-service model to provide other threat actors with access to the devices infected with Emotet, including ransomware gangs and the operators of the TrickBot Trojan. At its height, it was the most widely distributed malware variant and had infected thousands of companies and millions of computers around the world.
In November 2021, security researchers started reporting that the botnet was being rebuilt. The TrickBot Trojan, which was once distributed by Emotet, was being used to infect devices with Emotet. According to Check Point’s March Threat index, Emotet is now once again the most widely deployed malware, and the botnet is growing fast. Check Point says as many as 10% of organizations around the world were infected in March which is around twice the number that were infected in February.
Several spam email campaigns have been identified in recent weeks that attempt to trick individuals into installing the Emotet Trojan or the Emotet-linked malware, QBot. Kaspersky Lab reports that around 3,000 emails were intercepted in February that attempted to install Emotet, with 10 times that number intercepted in March. The emails include either a malicious attachment or a link to a cloud-hosting service. Several emails have included a link to a OneDrive URL. If the link is clicked, a password-protected encrypted archive is downloaded that contains a malicious file that installs the malware – a Microsoft Excel Add-in (XLL) file. The password to open the file is included in the message body. Several of the emails have had one-word subject lines such as Salary and encourage the recipient to open the attachment to view important information.
The use of an XLL file is unusual for the Emotet gang, which has previously mostly used Word and Excel files. The change could well be linked to the move by Microsoft to block macros by default in Word and Excel files delivered via the Internet from this month. Once a user has been infected, their email account will be hijacked and used to send spam emails to contacts and the malware can be used to deliver additional payloads such as Cobalt Strike.
As was the case before the botnet was shut down, the operators have used a variety of lures in their spam email campaigns, including several Easter-themed messages, which have been distrusted in mass campaigns consisting of millions of emails in multiple languages including English, Spanish, French, Italian, Polish, and Russian. Proofpoint has recently identified small-scale campaigns that appear to have been conducted to test new infection techniques, and those campaigns could be scaled up if they prove successful.