After several weeks of silence, the infamous Emotet botnet has returned with a new email distribution campaign attempting to spread malware, which is often used to deliver Ryuk ransomware and Trickbot banking trojan.
According to Malwarebytes, Proofpoint and Abuse.ch, the cybercriminals behind Emotet had increased activity just before Christmas, with a new campaign spewing more than 100,000 messages English, German, Spanish, Italian and other languages.
“In typical Emotet fashion, the threat actors continue to alternate between different phishing lures in order to social engineer users into enabling macros. However, in this latest iteration the Emotet gang is loading its payload as a DLL along with a fake error message,” Malwarebytes said.
Some of the malicious emails observed by the researchers were using COVID-19 as a lure. Although this tactic was already seen in the spring but is still being leveraged, possibly due to the massive second wave observed in the US as well as news about the vaccine rollout.
According to Proofpoint, lures use thread hijacking with Word attachments, pasword-protected zips, and URLs.
The latest data from the URLhaus database, which tracks malicious and suspicious domains, shows that although the new Emotet campaign began around mid-December Emotet spam activity has quickly increased in the past week.
“While some threat actors observe holidays, it is also a golden opportunity to launch new attacks when many companies have limited staff available. This year is even more critical in light of the pandemic and the recent SolarWinds debacle. We urge organizations to be particularly vigilant and continue to take steps to secure their networks, especially around security policies and access control,” Malwarebytes advised.