17 September 2019

Emotet botnet returns to action, resumes malspam operations

Emotet botnet returns to action, resumes malspam operations

After several months of inactivity one of the most dangerous botnets on today’s threat landscape has come to live with a new large spam campaign aimed at countries all around the world. The new Emotet campaign targeting Germany, the United Kingdom, Poland, Italy, and the USA has been spotted by researchers at cybersecurity firm Cofence Labs and SpamHaus, an organization that tracks spammers and spam-related activity.

The Emotet command and control (C&C) servers ceased their activity at the beginning of June, but less than a three months later, on August 22, have again began to respond to requests and on September 16 has started spewing malspam. The researchers believe that for the past few weeks the botnet’s operators were busy with re-establishing the infrastructure and making necessary preparations for the future attacks.

As Cofense researchers told BleepingComputer, Emotet is now targeting almost 66,000 unique emails for more than 30,000 domain names from 385 unique top-level domains (TLDs). The malicious emails come from 3,362 different senders, whose credentials had been stolen. Also, this campaign isn’t aimed at specific targets.

“From home users all the way up to government owned domains. The sender list includes the same dispersion as the targets. Many times we’ve seen precise targeting using a sender who’s contact list appears to have been scraped and used as the target list for that sender. This would include b2b as well as gov to gov.”, - Cofense said.

According to several security researchers, it appears that apart from the Emotet malware distribution the spam messages are also being used for infecting victims’ machines with Trickbot trojan that can serve as a dropper for additional malicious payloads.

The current campaign mostly relies on financial-themed spam emails that look like replies to a previous conversation or a reply-chain messages. The observed malicious email contained a Word document with malicious macro code that installs Emotet on the victim's computer.

Emotet Domain IoCs (Indicators of compromise) are available on Pastebin here.


Back to the list

Latest Posts

Winnti Group uses new modular Windows backdoor against the gaming industry in Asia

Winnti Group uses new modular Windows backdoor against the gaming industry in Asia

The hacking group was planning a "devastating supply-chain attack" against a high-profile Asian mobile hardware and software manufacturer.
15 October 2019
FIN7 cybercriminal group returns with new tools and evasion techniques

FIN7 cybercriminal group returns with new tools and evasion techniques

The researchers discovered a new loader and a module that exploits the legitimate remote administration software used by the ATM maker NCR Corporation.
14 October 2019
New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

The Attor malware comes with some unusual capabilities including the use of encrypted modules, Tor-based communications, and a plugin designed for GSM fingerprinting.
11 October 2019
Featured vulnerabilities
Multiple vulnerabilities in ncurses
High Patched | 15 Oct, 2019
Cross-site scripting in NetCommons3
Low Not Patched | 15 Oct, 2019