Show vulnerabilities with patch / with exploit
20 July 2020

Emotet botnet returns after a five-months break, starts spewing out new spam


Emotet botnet returns after a five-months break, starts spewing out new spam

Emotet, one of the most dangerous world’s botnets, has surged to life from a five-month hiatus and once more began sending spam aimed at delivering a backdoor that installs ransomware, banking trojans, and other kinds of malware.

According to Malwarebytes Labs, first signs of a malspam campaign were spotted on July 13, then several days later, on July 17, the Emotet botnets began actively spreading spam messages using the same techniques, as with previous malicious campaigns.

Malicious emails contain either a URL or an attachment that link to malicious Word files. One familiar technique is for the document to be sent as a reply within existing email threads. The malicious document contains a heavily obfuscated macro, which, when enabled, launches PowerShell to retrieve the Emotet binary from one of the remote compromised websites. Once the payload is executed, it will send a confirmation back to one of Emotet’s command and control server.

As per Sherrod DeGrippo, senior director of threat research and detection at security firm Proofpoint, the botnet has been observed sending 250,000 messages during the day, mostly to victims in the United States and the United Kingdom. According to other researchers who have been observing Emotet’s activities, targets were also located in the Middle East, South America, and Africa.

The Emotet botnet is known for launching massive campaigns which usually last for short periods of time and then going dormant for weeks or months at the time. True to its MO, the latest Emotet campaign had completely stopped on July 18. Indicators of compromise from the recent Emotet’s spamming spree can found here, here, and here.

Back to the list

Latest Posts

Vulnerabilities in Gmail and iCloud allow hiding the sender

Vulnerabilities in Gmail and iCloud allow hiding the sender

Manipulating email header fields allows for various types of attacks to deceive the addressee.
6 August 2020
Iranian APT Oilrig becomes the first group to weaponize DNS-over-HTTPS

Iranian APT Oilrig becomes the first group to weaponize DNS-over-HTTPS

Oilrig members have added a new DNSExfiltrator utility to their hacking arsenal.
5 August 2020
Hacker published passwords for over 900 corporate VPN servers

Hacker published passwords for over 900 corporate VPN servers

The list was published on a Russian-speaking hacker forum frequented by different ransomware operators.
5 August 2020