Emotet, a multi-purpose malware, had been one of the most active malware botnets in 2019. After ceasing of all its operations in February 2020, the Emotet has recently returned to life with a new spam campaign.
Emotet surges back to life
This month, cybersecurity firms such as Cryptolaemus, CSIS, Malwarebytes, Abuse.ch, and Spamhaus confirmed Emotet's comeback.
- Emotet launched the spam campaign that primarily targeted recipients in the US and UK with phishing lures sent in English. The campaign has so far sent around 80,000 messages.
- The emails containing malicious Word or Excel documents were sent, that utilized macros to download and install the Emotet Trojan on a victim's computer.
- The malware further deploys malicious modules that steal a victim's mail, spread to other computers, or use the infected computer to send spam.
From banking Trojan to cybercrime empire
From a closed group that stole money from people's bank accounts, into an open group that allowed other prolific malware gangs to rent access to infected computers, Emotet has effectively evolved as a cybercrime empire.
- In March 2020, the crypters for Emotet malware were observed using text from Coronavirus news stories in an attempt to evade detection from security software.
- In February 2020, Emotet was using fake bank domains in targeted SMiShing spam campaigns.
- In the same month, Emotet had launched a phishing scam against financial institutions, food, media, and transportation industries in the US and UK using fake invoices loaded with malware.
A useful tool
In February 2020, Japan CERT (computer emergency response team) released a utility tool named ‘EmoCheck’ that allows Windows users to easily check if they are infected with the Emotet Trojan. This tool could also be useful for network administrators to use as part of a login script to quickly find Emotet infected machines to prevent a further full-blown ransomware attack.