17 September 2019

Emotet botnet returns to action, resumes malspam operations


Emotet botnet returns to action, resumes malspam operations

After several months of inactivity one of the most dangerous botnets on today’s threat landscape has come to live with a new large spam campaign aimed at countries all around the world. The new Emotet campaign targeting Germany, the United Kingdom, Poland, Italy, and the USA has been spotted by researchers at cybersecurity firm Cofence Labs and SpamHaus, an organization that tracks spammers and spam-related activity.

The Emotet command and control (C&C) servers ceased their activity at the beginning of June, but less than a three months later, on August 22, have again began to respond to requests and on September 16 has started spewing malspam. The researchers believe that for the past few weeks the botnet’s operators were busy with re-establishing the infrastructure and making necessary preparations for the future attacks.

As Cofense researchers told BleepingComputer, Emotet is now targeting almost 66,000 unique emails for more than 30,000 domain names from 385 unique top-level domains (TLDs). The malicious emails come from 3,362 different senders, whose credentials had been stolen. Also, this campaign isn’t aimed at specific targets.

“From home users all the way up to government owned domains. The sender list includes the same dispersion as the targets. Many times we’ve seen precise targeting using a sender who’s contact list appears to have been scraped and used as the target list for that sender. This would include b2b as well as gov to gov.”, - Cofense said.

According to several security researchers, it appears that apart from the Emotet malware distribution the spam messages are also being used for infecting victims’ machines with Trickbot trojan that can serve as a dropper for additional malicious payloads.

The current campaign mostly relies on financial-themed spam emails that look like replies to a previous conversation or a reply-chain messages. The observed malicious email contained a Word document with malicious macro code that installs Emotet on the victim's computer.

Emotet Domain IoCs (Indicators of compromise) are available on Pastebin here.


Back to the list

Latest Posts

New Wi-Fi chip bug affects over a billion of devices, including smartphones, tablets, laptops, and IoT gadgets

New Wi-Fi chip bug affects over a billion of devices, including smartphones, tablets, laptops, and IoT gadgets

Devices from Amazon, Apple, Google, and Samsung as well as some access points by Asus and Huawei, are found to be vulnerable to Kr00k.
27 February 2020
‘Cloud Snooper’ operation uses a unique combination of techniques to evade detection

‘Cloud Snooper’ operation uses a unique combination of techniques to evade detection

The attack involves piggybacking C2 traffic on a legitimate traffic, thus allowing to bypass firewalls.
26 February 2020
PayPal customers hit with fraudulent charges via Google Pay

PayPal customers hit with fraudulent charges via Google Pay

It's not clear what vulnerability is being exploited, but the issue may be related to a bug reported to PayPal a year ago.
25 February 2020