Emotet Returns After a Summer Break

What Is It?

First discovered in 2014, the Emotet trojan has previously been the subject of several Threat Reports.

Initially a banking trojan, it has since evolved to focus on the sending of spam emails and distribution of other malware. This change in functionality might be tied be more profitable option for its authors.

In early June 2019, it was observed that its C2 (command and control) servers had stopped communicating with infected systems. Researchers posited this would be a temporary shutdown and were proven correct, as C2 traffic restarted on August 22nd. After the restart, it appears that the authors performed some housekeeping on their infrastructure, such as removing fake bots attempting to communicate to the C2 servers and preparing the next campaign.

In mid-September the new campaign began, aimed at users in the U.S., the UK, Poland, Italy and Germany. This was a widespread campaign, with spam emails received by home users in addition to corporate and government organizations. Researchers from Cofense Labs found emails from this campaign were sent to users at more than 30,000 domain names and came from 3,362 unique senders at 1,875 domains. The sender’s email credentials had previously been stolen. The spam emails used mainly financially orientated lures, such as overdue bills or payment receipts and were written in the language (English, Polish, Italian and German) matching the domain they were sent to. True to form for Emotet, the attachments to these emails were Microsoft Word documents with malicious macros. Once the Emotet trojan was installed, the Trickbot trojan was downloaded, which frequently results in a tertiary infection of Ryuk ransomware.

The campaign described above has been followed up with another beginning this week. Utilizing another oft-used technique from the attacker’s playbook, the lure of this campaign is that the attachment is a Microsoft Word copy of the highly-publicized and controversial new book by Edward Snowden.

Researchers from Malwarebytes Labs found examples of these spam emails in English, French, Spanish, German and Italian. When the user opens the Microsoft Word document, it uses a similar social engineering technique to the previous campaign to convince users to provide the necessary permissions to allow the malicious macro to execute. In this case, it states Word has not been activated and in order to continue using it, they must enable editing and enable content.

Emotet continues to be an extremely dangerous and prolific threat, in most cases a triple threat of Emotet, Trickbot and Ryuk. The potential end result being the theft of data and credentials followed by encryption of user’s data.

How Does It Propagate?

Emotet uses malicious Microsoft Word documents attached to spam emails as its initial infection vector. However, Emotet also contains a list of frequently used passwords which it uses to attempt to access and infect other systems on the network.

When/How Did BluVector Detect It?

Samples are publicly available from both Emotet campaigns described above and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown samples of both the malicious Microsoft Word documents and the Emotet trojan would have been detected for up to 69 months prior to their release.

All Threat Reports