17 September 2019

Emotet botnet returns to action, resumes malspam operations


Emotet botnet returns to action, resumes malspam operations

After several months of inactivity one of the most dangerous botnets on today’s threat landscape has come to live with a new large spam campaign aimed at countries all around the world. The new Emotet campaign targeting Germany, the United Kingdom, Poland, Italy, and the USA has been spotted by researchers at cybersecurity firm Cofence Labs and SpamHaus, an organization that tracks spammers and spam-related activity.

The Emotet command and control (C&C) servers ceased their activity at the beginning of June, but less than a three months later, on August 22, have again began to respond to requests and on September 16 has started spewing malspam. The researchers believe that for the past few weeks the botnet’s operators were busy with re-establishing the infrastructure and making necessary preparations for the future attacks.

As Cofense researchers told BleepingComputer, Emotet is now targeting almost 66,000 unique emails for more than 30,000 domain names from 385 unique top-level domains (TLDs). The malicious emails come from 3,362 different senders, whose credentials had been stolen. Also, this campaign isn’t aimed at specific targets.

“From home users all the way up to government owned domains. The sender list includes the same dispersion as the targets. Many times we’ve seen precise targeting using a sender who’s contact list appears to have been scraped and used as the target list for that sender. This would include b2b as well as gov to gov.”, - Cofense said.

According to several security researchers, it appears that apart from the Emotet malware distribution the spam messages are also being used for infecting victims’ machines with Trickbot trojan that can serve as a dropper for additional malicious payloads.

The current campaign mostly relies on financial-themed spam emails that look like replies to a previous conversation or a reply-chain messages. The observed malicious email contained a Word document with malicious macro code that installs Emotet on the victim's computer.

Emotet Domain IoCs (Indicators of compromise) are available on Pastebin here.


Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024