After going dark in early February of this year, Emotet has resurfaced from its five-month absence with a new MalSpam (malicious spam) campaign. The most active malware botnet of 2019, threat researchers had a feeling that Emotet’s return was inevitable in the long run. “It was only a matter of time”, says Threat Researcher Fabian Sanz from the Avira Protection Labs. “We didn’t expect Emotet to stay silent for so long, but now it’s back in full force, and as dangerous as ever.”
What is Emotet?
The Emotet trojan is a special case of malware-as-a-service but has its origin as banking trojan back in 2014. Generally, Emotet shows up in very legitimate-looking phishing emails that entice users to click on malicious links, PDFs, or attached macro-enabled Microsoft Word documents. It aims to steal login information and email credentials and tries to spread over the network while happily downloading additional malware-plugins and standalone threats from its command & control servers to deploy on already infected systems.
Acting as a spearhead, Emotet pries a system open for other malware to take advantage of. Thus Emotet, and the threats it brings along, are considered one of the most costly and destructive attack combinations. This is due to Emotet’s complex and mature anti-analysis mechanics such as the use of polymorphic packers and heavy encryption, together with its high-volume email campaigns. The result is a threat-bundle that is not only hard to detect with traditional detection technology but one that also becomes very prevalent around the globe.
Emotet makes it return
Threat researchers detected Emotet’s return just a few days ago. Running from three separate server clusters, the botnet sent out a blast of 250,000 messages at first mostly to people in the US and UK. Following its historical pattern, the messages, uncannily well crafted to look as convincing as possible, contain either a malicious document or a link to a malicious file that when activated installs the Emotet payload. Typically, it remains dormant for a few days before installing the tag-along malware, often seen as the TrickBot banking trojan or the Ryuk ransomware.
While the first batch of emails was seemingly targeted only towards English speaking countries, localized versions such as French, German, Spanish, and Italian followed quickly thereafter. The Avira Protection Labs saw attacks prevented all around the globe, and has already collected over 4,000 unique Emotet samples in the last four days alone. Threat Researcher Fabian Sanz further comments: “The methods used by the actors behind Emotet have not changed drastically since February. The malicious Office documents, for example, use basically the same VBA-script based downloaders to deploy the Emotet payload. The codebase of Emotet itself has changed slightly, but overall remained similar with its many decoy functions, dynamic resource resolving, and multiple decryption stages.”
How can you protect yourself against the Emotet malware botnet?
This isn’t the first time that Emotet botnet beast has awakened from a slumber. It’s been known to make big blast spam campaigns before taking breaks that last anywhere from a few weeks to a few months. And it often goes silent over weekends and the major holidays.
Its return is another not-so friendly reminder of just how important it is to think twice about the emails we receive, even those from known contacts. To better protect yourself against an email malware attack, follow the below precautions:
Be skeptical. Before clicking on a link or file sent in an email take a minute to evaluate the context. For example, ask yourself if your friend or acquaintance would really send you an invoice or payment.
Be suspicious. Think twice when it comes to Word documents that require macros to be enabled before viewing. For most people and situations there is rarely a reason to use this function. You can also open a Word document in a Google doc to prevent any malware from being installed on your local computer.