The Emotet Botnet is Back in Action Sending Spam with New Lures to Fool the Unwary

There was a welcome Christmas break from the Emotet botnet, but life has returned to normal and it is well and truly back in action. Millions of malspam emails are now being sent spreading the Emotet Trojan in more than 80 countries.

The emails contain attachments that are used to install the information stealing Emotet Trojan. Since Emotet is itself a malware downloader, that may not be the only malicious payload that is deployed. Ransomware and further Trojans may also be downloaded by Emotet over time. Infected devices are also added to the botnet and are used to send spam emails containing a copy of the Trojan.

Emotet fell silent on December 21, 2019 but sprung back into action on January 13, 2020. The spamming is widespread, but the United States is being heavily targeted. The campaigns being run use a variety of lures to get recipients to open email attachments and enable content. Enabling content will execute macros that download and run the Emotet Trojan.

Lures include invoices, proof of delivery documents, receipts, statements, and agreements, with a major focus on business users and new lures are frequently being devised. In the run up to Christmas, campaigns were launched using Greta Thunberg themed lures and Christmas party invites. It was a similar story in the run up to Halloween, with invitations to Halloween parties used to spread the Emotet Trojan.

Another new lure has been spotted in the past few days. Emails are being sent mimicking the sextortion emails that proved so popular with email scammers in 2018. These are the emails where a supposed hacker claims to have installed malware and threatens to expose a user’s internet history along with webcam footage of them viewing adult content. The attachment claims to provide instructions for making a payment to have the footage deleted.

The Emotet group, also known as TA542, has also been conducting targeted attacks on specific industry sectors. A massive spamming campaign has been detected by Proofpoint targeting the pharmaceutical industry. The campaign targeted pharma companies in North America initially, but then spread to a further 11 countries. Proofpoint notes that in a single day TA542 sent around 750,000 emails in that single campaign.

The risk of receiving these emails is high considering the volume of messages being sent, but there are simple steps that can be taken to manage risk. Naturally an advanced spam filtering solution should be implemented to block the majority of malspam emails. End user training is also vital. End users should be conditioned not to open email attachments, to verify the authenticity of unsolicited email attachments from known senders, and told to always err on the side of caution and contact their network administrator if a suspicious attachment is received.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of