Getty Images/iStockphoto

Emotet Malware Threat Actors Return with Massive Email Campaign

Reports from Proofpoint and Malwarebytes found the notorious Emotet malware threat actors have reemerged after a hiatus, sending 250,000 malicious emails with highly obfuscated macros.

The notorious Emotet malware threat actors have resurfaced after a 5-month hiatus with a massive campaign that has send well over 250,000 emails containing highly obfuscated, malicious macros during the first week of its return, according to recent reports from Malwarebytes and Proofpoint

Last seen in January, the Emotet trojan was first discovered in the wild in 2014 as a banking trojan. But its threat actors have continually worked to evolve the malware variant, quickly emerging as a botnet and malware for hire. 

The trojan is often paired with other threats, such as information stealers, email harvesters, self-propagation mechanisms, and ransomware, in an effort designed to more fully monetize their attacks. Most recently, Proofpoint noted that Emotet delivers third-party payloads like Qbot, IcedID, Gootkit, and The Trick. 

The socially engineered spam emails leverage stolen email content to make it easy for hackers to dupe users into thinking they’re responding to a legitimate email. 

In previous campaigns, Emotet would send emails from legitimate conversations from the victims’ email accounts. The malware could compose attack messages from the infected account, although the method was used in just 8.5 percent of attacks. 

However, the unique methods used by Emotet is what makes the threat highly effective. 

The trend with Emotet tends to be a surge in attacks and then a lull, while the hackers modify and improve their attack methods. The latest campaign to resurface has quickly sent more than a quarter of a million malicious emails across the globe to various sectors. 

First spotted on July 13 by the international threat intelligence organization known as the Spamhaus Project, the first effort included a small amount of activity using low volumes of Emotet malspam. Researchers worried that the renewed efforts would lead to a bigger campaign. 

The following day, Malwarebytes detected a highly active campaign of Emotet botnets pushing malspam using the same techniques previously employed in past campaigns. 

“Malicious emails contain either a URL or an attachment. One familiar technique is for the document to be sent as a reply within existing email threads,” Malwarebytes researchers explained. 

The emails and attachments contain highly obfuscated macros, which Microsoft also alerted to on July 17. Microsoft warned the malicious macros run a PowerShell script to download the payload from five separate download links. 

“We have so far seen several hundreds of unique attachments and links in tens of thousands of emails in this campaign,” Microsoft researchers wrote. “The download URLs typically point to compromised websites, characteristic of Emotet operations.” 

Proofpoint determined the threat actor known as TA542 targeted multiple verticals in the US and UK with lures using the English language. The messages contain malicious Microsoft Word attachments or URLs that link to Word document, which often point to compromised WordPress hosts. 

Further, similar to lures previously used by Emotet, the emails are simple with minimal customization. The subject lines include the use of “RE:” and “Invoice #” that include a fake invoice number and often the name of the targeted organization. 

When the macro is enabled, Emotet is downloaded and installed on the victim’s host. The enabled macro prompts the Windows Management Instrumentation (WMI) to launch PowerShell to retrieve the Emotet binary from a remote compromised website that iterates through a list until it identifies one that will respond, Malwarebytes researchers explained. 

Once the payload is executed, a confirmation is sent to an Emotet command and control server. Proofpoint noted that Emotet will download and install additional modules to steal credentials, harvest emails, and proliferate across connected, vulnerable devices on the network. 

The Proofpoint and Malwarebytes reports also include indicators of compromise. 

“The Emotet Trojan was by far the most visible and active threat on our radars in 2018 and 2019 -right up until it went into an extended break,” Malwarebytes researchers explained. “Emotet is used by cybercriminals as the initial entry point, followed by a dwell time that can last days or weeks.” 

“In the meantime, other threats such as TrickBot can be delivered as a secondary payload,” they added. “The real damage that an Emotet compromise causes happens when it forms alliances with other malware gangs and in particular threat actors interested in dropping ransomware.” 

Healthcare organizations should refer to recent guidance from the Department of Homeland Security Cybersecurity and Infrastructure Security Agency to better understand malware security events, including how the virus can get into a network and ways to better protect enterprise security. 

Next Steps

Dig Deeper on Cybersecurity strategies