After a nearly two-month hiatus, the Emotet botnet sprung back to life this week with a fresh spamming and phishing campaign designed to spread other malware as secondary payloads delivering trickbots
“The Emotet botnet is one of the most prolific senders of malicious emails when it is active, but it regularly goes dormant for weeks or months at a time,” the Cofense researchers note. “This year, one such hiatus lasted from February through to mid-July, the longest break we’ve seen in the last few years. Since then, we observed regular Emotet activity through the end of October, but nothing from that point until today.”
The last campaign observed was on Oct. 30, 2020. It’s not clear why the threat actor abruptly stopped distribution in October. But this week starting esearchers had detected more than 100,000 Emotet-laced emails written in English, German, Spanish, Italian and other languages.
The latest Emotet campaign starts with holiday theme phishing emails delivering word documents, some of which leverage previous victims’ stolen data so they appear more authentic. Other phishing emails use generic templates, which are then tweaked with current news or other topics to entice users to click on a malicious link, researchers say.
The latest phishing emails contain malicious macro code to install Emotet, and the emails claim that this “protected” document requires users to enable macros in order to open it. Also a dialogue stating Word experienced an error trying to open the file.
This gives the user an explanation as to why they don’t see the content immediately, and they will likely ignore the incident while Emotet runs in the background and infects the device, according to the Cofense researchers.
The researchers also note that the operators behind Emotet have tweaked its code to better avoid detection by security tools. For example, the malware had previously used a standalone executable file with a “.exe” filename, but this has been changed to a Dynamic Link Library file that is initialized using a built-in Windows program called rundll32.exe, which makes the malware more difficult to detect.
“Emotet’s command-and-control communication has also been changed to use binary data rather than plain text, which will likely make it more difficult to detect at the network level,” .