Emotet Botnet Reactivated and Sending Large Volumes of Malicious Emails

The Emotet botnet has been reactivated after a 5-month period of dormancy and is being used to send large volumes of spam emails to organizations in the United States and United Kingdom.

The Emotet botnet is a network of compromised computers that have been infected with Emotet malware. Emotet malware is an information stealer and malware downloader that has been used to distribute a variety of banking Trojans, including the TrickBot Trojan.

Emotet hijacks email accounts and uses them to send spam emails containing malicious links and email attachments, commonly Word documents and Excel spreadsheets containing malicious macros. If the macros are allowed to run, a PowerShell script is launched that silently downloads Emotet malware. Emotet malware can also spread to other devices on the network and all infected devices are added to the botnet.

The emails being used in the campaign are similar to previous campaigns. They use fairly simple, yet effective lures to target businesses, typically fake invoices, purchase orders, receipts, and shipping notifications. The messages often only include one line of text requesting the recipient click a link or open the email attachment. The emails are often personalized and contain the name of the targeted company and typically have a subject line starting with “RE:” that suggests the email has been sent in response to an email previously sent by the targeted individual – RE: Invoice 422132, for example. Several of the emails in this campaign have an attachment called “electronic.form.”

The latest campaign was been detected by several security companies. The first test emails were sent on July 13, and the spam campaign commenced on July 17. Proofpoint detected 30,000 messages on July 17, but now around 250,000 emails are being sent each day.

Malwarebytes rates Emotet as the biggest malware threat of 2018 and 2019, even with the regular breaks in botnet activity. Typically, activity stops around holiday periods for a few days or weeks, but the latest hiatus is one of the longest breaks in activity since the malware first appeared.

Emotet itself is a dangerous malware variant, but it is the additional payloads that Emotet downloads that cause the most damage. The TrickBot Trojan is a modular malware that can perform a range of malicious functions, such as stealing login information, sensitive files and emails, and Bitcoin wallets. The TrickBot Trojan often downloads Ryuk ransomware after the operators have achieved their own objectives.

If Emotet malware is detected, a rapid response is required to isolate the infected device and remove the malware. If Emotet is found on one device, it is likely that other devices will also have been compromised.

To reduce the risk of infection, organizations should send an alert to their employees warning them of the threat and advising them to take extra caution, especially with emails containing Word documents and Excel spreadsheets, even if those emails appear to have been sent from trusted contacts.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.