After several months of inactivity one of the most dangerous botnets on today’s threat landscape has come to live with a new large spam campaign aimed at countries all around the world. The new Emotet campaign targeting Germany, the United Kingdom, Poland, Italy, and the USA has been spotted by researchers at cybersecurity firm Cofence Labs and SpamHaus, an organization that tracks spammers and spam-related activity.
The Emotet command and control (C&C) servers ceased their activity at the beginning of June, but less than a three months later, on August 22, have again began to respond to requests and on September 16 has started spewing malspam. The researchers believe that for the past few weeks the botnet’s operators were busy with re-establishing the infrastructure and making necessary preparations for the future attacks.
As Cofense researchers told BleepingComputer, Emotet is now targeting almost 66,000 unique emails for more than 30,000 domain names from 385 unique top-level domains (TLDs). The malicious emails come from 3,362 different senders, whose credentials had been stolen. Also, this campaign isn’t aimed at specific targets.
“From home users all the way up to government owned domains. The sender list includes the same dispersion as the targets. Many times we’ve seen precise targeting using a sender who’s contact list appears to have been scraped and used as the target list for that sender. This would include b2b as well as gov to gov.”, - Cofense said.
According to several security researchers, it appears that apart from the Emotet malware distribution the spam messages are also being used for infecting victims’ machines with Trickbot trojan that can serve as a dropper for additional malicious payloads.
The current campaign mostly relies on financial-themed spam emails that look like replies to a previous conversation or a reply-chain messages. The observed malicious email contained a Word document with malicious macro code that installs Emotet on the victim's computer.
Emotet Domain IoCs (Indicators of compromise) are available on Pastebin here.