Emotet Botnet Reactivated and Sending Huge Volumes of Malicious Emails

After a 5-month period of dormancy, the reactivated Emotet botnet is being utilized to send big volumes of spam emails to companies in the United Kingdom and the United States.

The Emotet botnet is a network of compromised computers that have been installed with Emotet malware. Emotet malware is an information thief and malware downloader that has been utilized to distribute various banking Trojans, such as the TrickBot Trojan.

Emotet hijacks email accounts and works by using them to send out spam emails having malicious hyperlinks and email attachments, normally Word and Excel files having destructive macros. When the macros are able to run, a PowerShell script is released that downloads Emotet malware silently. Emotet malware may likewise pass on to other devices found on the network and all malware-infected devices become a part of the botnet.

The emails being utilized in the campaign are much like earlier campaigns. They utilize pretty simple, yet effective baits to target companies, usually bogus invoices, purchase orders, shipping notifications, and receipts. The messages frequently just include a single line of text asking the recipient to click a hyperlink or open the email attachment. The emails are usually individualized and include the name of the targeted business and normally have a subject line “RE:” that indicates the email message was a response to an email sent previously by the targeted person – RE: Invoice 422132, for example. A few of the emails in this campaign have an attachment labeled as “electronic.form.”

Several security companies detected the most recent campaign. The first test emails were dispatched on July 13, and the spam email campaign started on July 17. Proofpoint discovered 30,000 messages on July 17, however right now about 250,000 emails are being sent each day.

Malwarebytes considers Emotet as the greatest malware threat of 2018 and 2019, despite having usual gaps in botnet activity. Generally, activity ceases about holiday times for several days or weeks, however, the most recent hiatus is the longest break in activity from the time the malware first came out.

Emotet itself is a risky malware type, however, it is an extra payload that Emotet downloads that result in the biggest ruin. The TrickBot Trojan is a modular malware that may do a variety of malicious capabilities, like stealing login data, sensitive documents and emails, and Bitcoin wallets. The TrickBot Trojan frequently downloads Ryuk ransomware following the operators have attained their own goals.

Upon detection of the Emotet malware, a rapid response is needed to separate the infected device and get rid of the malware. In case Emotet is identified on one device, it is probable that some other devices might have been breached.

To decrease the threat of infection, companies ought to send an advisory to their personnel cautioning them of the risk and advising them to consider extra care, specifically with emails having Word and Excel files, regardless if those emails appear to be coming from reliable contacts.