Light Dark
July 28, 2020 By David Bisson 3 min read

A malspam campaign involving Emotet saw a resurgence after five months of laying low, Malwarebytes detected on Friday, July 17. This operation used the well-known method of sending attack emails as a reply within an existing email thread. From there, the emails invited the recipient to open an attachment. Named “Form – Jul 17, 2020.doc,” the attachment opened a Microsoft Word document that informed the user of the need to enable content.

If they agreed to do so, the user inadvertently enabled a heavily-obfuscated macro embedded within the document. That macro then proceeded to call Windows Management Instrumentation (WMI), which in turn launched PowerShell. As its final phase, the campaign used PowerShell to iterate through a list of compromised remote websites. Once it identified one that was responding, the operation pulled down an Emotet payload and installed it on the victim’s machine. Then, the malware sent confirmation back to one of its command-and-control (C&C) servers.

Restoring the “Real Damage” of an Emotet Attack

Malwarebytes notes the real damage from an Emotet infection comes from the threat group’s alliances with other malware actors. In particular, it opens machines up to actors responsible for families that are capable of dropping ransomware onto an infected computer. The actors responsible for coordinating Emotet’s attacks are aware of this point.

Just three days after Malwarebytes spotted this malspam campaign, a security researcher told Bleeping Computer that they had spotted Emotet distributing TrickBot, a trojan which has a history of distributing ransomware such as Conti and Ryuk. Just a day later, Bleeping Computer learned the Emotet gang had begun distributing QakBot across all three branches of the botnet’s infrastructure. QakBot is another preferred partner of Emotet that has in some instances loaded ProLock ransomware onto infected machines.

Emotet: Threat Activity Before Its Five-Month Pause

The threat activity described above marks the return of Emotet after nearly a five-month pause. It did not enter into that break with a whimper, however. 

Threat actors used Emotet in multiple attack campaigns before its hiatus. At the beginning of February 2020, IBM X-Force discovered an operation in which attackers had employed coronavirus 2019 as a lure in malspam emails to deliver Emotet via weaponized Word documents. Two weeks later, IBM researchers disclosed a SMiShing campaign in which attackers impersonating well-known banks sent text messages from what appeared to be local U.S. numbers. They used that cover to trick recipients into clicking on a link that redirected them to domains hosting Emotet.

These two attack campaigns, not to mention the use of brute-forcing attacks on local WiFi networks, played a large part in Check Point Research’s decision to name Emotet as the second most-popular malware in February 2020. It came behind Mirai, a threat which at the time was targeting internet of things (IoT) devices with a new vulnerability. It did so as a means of building its botnet and conducting distributed denial-of-service (DDoS) attacks.

How to Defend Against Emotet

Security professionals can help their organizations defend against an Emotet infection first and foremost by investing in a security awareness training program. As part of this education initiative, infosec personnel should regularly test their employees with phishing simulations. Emotet has a history of using email attacks to enter organizations. Therefore, by educating their employees about such campaigns, security professionals will be able to reduce the likelihood of an attack email entering into the organization.

Next, they need to realize that some attack emails will get through employees’ defenses. Therefore, they need to set up some technical controls designed to monitor the network for signs of malicious macros, a common delivery vector for Emotet. They can do this by implementing proper logging, reviewing logs for suspicious activity and performing endpoint scans.

Last but not least, infosec personnel need to stay on top of the latest attack campaigns, partnerships and tactics employed by malware actors such as those responsible for Emotet. The best way they can do this is by using threat intelligence services to prepare themselves against these new developments.

 |  |  |  | 
David Bisson
Contributing Editor

More from

April 25, 2024

NIST’s role in the global tech race against AI

4 min read - Last year, the United States Secretary of Commerce announced that the National Institute of Standards and Technology (NIST) has been put in charge of launching a new public working group on artificial intelligence (AI) that will build on the success of the NIST AI Risk Management Framework to address this rapidly advancing technology.However, recent budget cuts at NIST, along with a lack of strategy implementation, have called into question the agency’s ability to lead this critical effort. Ultimately, the success…

April 24, 2024

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

April 23, 2024

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature