The Emotet banking malware is back in action, pushing a new massive spam campaign. Emotet recently developed capabilities to steal users’ emails. Just a week after, the banking malware began pushing its new spam campaign. The cybercriminals operating the modular banking malware were laying low for a while, presumably gearing up for the new large-scale campaign.
Emotet is known for its worm-like features that allow it to self-propagate and it can also be used as a downloader or a dropper that is capable of installing additional malicious payloads.
According to security experts at ESET, the new Emotet campaign began on November 5 and appears to be targeting victims in the US, UK, Turkey, and South Africa. The banking malware is using malicious Word and PDF documents, posing as invoices, payment notifications, and bank account alerts.
The researchers believe that the cybercriminals operating the new Emotet campaign have been targeting English and German-speaking users.
The attack begins when victims open the malicious Word or PDF file, that appears to be coming from legitimate organizations. The malicious document prompts the victim to enable macros. Once this is done, Emotet is installed and launched, persistently conducting malicious activities. Once Emotet has established a connection with the C2 server, the malware receives instructions to install additional payloads.
“The modules extend the initial payload’s functionality with one or more of credential-stealing, network propagation, sensitive information harvesting, port forwarding, and other capabilities,” ESET researchers said in a report. “As for the secondary payloads, this campaign has seen Emotet dropping TrickBot and IcedId on compromised machines.”
The reemergence of Emotet indicates that the banking malware remains a persistent and active threat. It is also an example of how cybercriminals operating popular malware variants sometimes go dark for a while to improve their malware and come back with a bang.