Emotet malware back to action after a five-month hiatus, Emotet botnets started pushing malspam actively on Friday, July 17
After being the most active malware botnet in 2018 and 2019, the Emotet botnets went on a long hiatus only to return back on July 17, 2020. The Emotet botnet’s first campaign of 2020 was spotted by Spamhaus on July 13.
— Spamhaus (@spamhaus) July 15, 2020
Now researchers from Malwarebytes have found a full-fledged campaign of Emotet botnet pushing malspam actively on Friday, July 17, using the same techniques as it employed previously. Malicious emails contain either a URL or an attachment. One familiar technique is for the document to be sent as a reply within existing email threads. The botnet, which runs from three separate server clusters, Epoch 1, Epoch 2, and Epoch 3, has started sending spam emails to infect new users with its malware payload.
The spam emails sent by Emotet malspam are either a Word attachment or URLs linking to the download of a Word document that contains malicious macros which, if enabled by the users, will download and install Emotet botnet
“The campaign is ongoing and has reached around 250,000 messages so far today,” Sherrod DeGrippo, Senior Director Threat Research at Proofpoint says. The MS Word attachment contains a heavily obfuscated macro. Once the macro is enabled, WMI launches PowerShell to retrieve the Emotet binary from one of the remote compromised websites. It will keep communicating with the server until it responds. Once the Emotet binary is downloaded, those components then lie in wait until instructed by a command-and-control server to begin their malicious work — tending to involve downloading and installing more active malware onto a victim’s computer.
Cryptolaemus, a group of security researchers dedicated to detecting and tracking Emotet, have also confirmed Emotet’s comeback.
#emotet We are now seeing spam modules deployed to E1 and E3. E3 is currently spamming as of ~15:00. E1 appears to be about to spam also now.
— Cryptolaemus (@Cryptolaemus1) July 17, 2020
So far security researchers have found no means to block Emotet malware. If you receive an email with MS Word attachment, make double verification including a virus scan, and calling the sender to confirm it is genuine.