23 December 2020

Emotet botnet returns days before Christmas


Emotet botnet returns days before Christmas

After several weeks of silence, the infamous Emotet botnet has returned with a new email distribution campaign attempting to spread malware, which is often used to deliver Ryuk ransomware and Trickbot banking trojan.

According to Malwarebytes, Proofpoint and Abuse.ch, the cybercriminals behind Emotet had increased activity just before Christmas, with a new campaign spewing more than 100,000 messages English, German, Spanish, Italian and other languages.

“In typical Emotet fashion, the threat actors continue to alternate between different phishing lures in order to social engineer users into enabling macros. However, in this latest iteration the Emotet gang is loading its payload as a DLL along with a fake error message,” Malwarebytes said.

Some of the malicious emails observed by the researchers were using COVID-19 as a lure. Although this tactic was already seen in the spring but is still being leveraged, possibly due to the massive second wave observed in the US as well as news about the vaccine rollout.

According to Proofpoint, lures use thread hijacking with Word attachments, pasword-protected zips, and URLs.

The latest data from the URLhaus database, which tracks malicious and suspicious domains, shows that although the new Emotet campaign began around mid-December Emotet spam activity has quickly increased in the past week.

“While some threat actors observe holidays, it is also a golden opportunity to launch new attacks when many companies have limited staff available. This year is even more critical in light of the pandemic and the recent SolarWinds debacle. We urge organizations to be particularly vigilant and continue to take steps to secure their networks, especially around security policies and access control,” Malwarebytes advised.

Back to the list

Latest Posts

FBI warns of ongoing vishing attacks seeking to steal corporate credentials

FBI warns of ongoing vishing attacks seeking to steal corporate credentials

Cybercriminals use VoIP platforms to target company employees.
19 January 2021
IObit forum hacked in a DeroHE ransomware attack

IObit forum hacked in a DeroHE ransomware attack

It is unknown, how the hackers managed to compromise the forum, but it is possible that they gained access to an administrative account.
19 January 2021
OpenWrt Project discloses data breach

OpenWrt Project discloses data breach

The hackers gained access to an administrator account on the OpenWrt forum and stole a copy of the user list.
19 January 2021