Infamous Emotet botnet returns after a break

• The Emotet botnet has resurfaced in spam campaigns after a period of nearly four months.
• The new campaign is targeted at Poland and Germany primarily, among other countries.

Emotet was on a break

Researchers observed that the command and control servers of the Emotet botnet were shut down since June.

• On August 22, the infrastructure was live again, but no active campaigns were recorded.
• Security researchers had predicted that Emotet would reappear after the necessary preparations for new spam campaigns.

Raashid Bhat, a security researcher at Spamhaus, told ZDNet, “Initially, they didn't start sending out spam right away. For the past few weeks, the C&C servers have been sitting idly, serving binaries for the Emotet ‘lateral movement’ and ‘credentials stealing’.”

The latest news

Cofense Labs has also analyzed the Emotet’s return. Observations made by security researchers indicate that the campaign sends emails with financial themes.

• Most of these emails disguise themselves as a reply to a previous conversation to convince potential victims to open them.
• Some of the emails were also observed to be sent with vague details in the body to entice users to open or download the attachments.
• Researchers observed emails with seemingly legitimate Word documents that contain malicious macro code. This macro code is disabled by default on Word, but attackers lure victims into enabling it with license agreements.
• The websites compromised to spread Emotet include www[.]holyurbanhotel[.]com, nautcoins[.]com, broadpeakdefense[.]com among others.

Possible aftermath

Infected systems are added to the Emotet’s botnet, following which malicious modules are delivered.

• The modules can harvest personal data and steal email threads for use in campaigns.
• Emotet has also been observed to provide Malware-as-a-Service (MaaS), where other threat actors can rent Emotet infected systems to deliver their malware. Ryuk is notorious for infecting systems that have already been infected with Emotet.

The Cryptolaemus research group has published Indicators of Compromise (IOCs) for this Emotet campaign that you can monitor in your systems.