More Magic Out of Its Hat - Emotet Found Using Stolen Email Attachments

Emotet malware is yet again found using new tactics to sharpen its attacks. Besides using just fake or stolen email content, it has now started using stolen legitimate attachments to target its victims.

Emotet infections are serious

Recently, Cofense Labs observed that Emotet malware has been working upon adding more authenticity to its campaigns.
  • To increase the authenticity of spam emails used for infecting target systems, the malware is now using stolen attachments, along with hijacked email conversation threads (which also include fake extortion emails).
  • According to MalwareTech, Emotet's email stealer module was added for the first time around June 13, 2020, to steal email attachments, email content, and contact lists.

The malware of the month

The malware started from where it left in February 2020, reviving itself after more than five months of inactivity.
  • Emotet malware revived on July 17, 2020, and has already wreaked havoc in this short span of time.
  • Just one day since its return, the malware found a new companion in Qakbot as a secondary malware in its infection chain.
  • Very recently, it was spotted distributing TrickBot malware in massive spam campaigns.

Silver Lining

Operation ‘Emotehack’ replaced Emotet’s malicious payloads with multiple popular (funny and harmless) GIFs and halted its operations for approximately three days. Unfortunately, the Emotet gang spotted the replacement and restored the original payload quickly.

Speculations

Emotet has been providing attackers with a foothold on a network from which additional attacks can be performed.
  • Based on its recent activities, experts have indicated that QakBot can deploy ProLock ransomware as its final payload on some systems initially infected with Emotet.
  • It is also expected that the infamous trifecta - Emotet, Ryuk, and TrickBot - may return to wreak havoc.