July 28, 2020 By David Bisson 3 min read

A malspam campaign involving Emotet saw a resurgence after five months of laying low, Malwarebytes detected on Friday, July 17. This operation used the well-known method of sending attack emails as a reply within an existing email thread. From there, the emails invited the recipient to open an attachment. Named “Form – Jul 17, 2020.doc,” the attachment opened a Microsoft Word document that informed the user of the need to enable content.

If they agreed to do so, the user inadvertently enabled a heavily-obfuscated macro embedded within the document. That macro then proceeded to call Windows Management Instrumentation (WMI), which in turn launched PowerShell. As its final phase, the campaign used PowerShell to iterate through a list of compromised remote websites. Once it identified one that was responding, the operation pulled down an Emotet payload and installed it on the victim’s machine. Then, the malware sent confirmation back to one of its command-and-control (C&C) servers.

Restoring the “Real Damage” of an Emotet Attack

Malwarebytes notes the real damage from an Emotet infection comes from the threat group’s alliances with other malware actors. In particular, it opens machines up to actors responsible for families that are capable of dropping ransomware onto an infected computer. The actors responsible for coordinating Emotet’s attacks are aware of this point.

Just three days after Malwarebytes spotted this malspam campaign, a security researcher told Bleeping Computer that they had spotted Emotet distributing TrickBot, a trojan which has a history of distributing ransomware such as Conti and Ryuk. Just a day later, Bleeping Computer learned the Emotet gang had begun distributing QakBot across all three branches of the botnet’s infrastructure. QakBot is another preferred partner of Emotet that has in some instances loaded ProLock ransomware onto infected machines.

Emotet: Threat Activity Before Its Five-Month Pause

The threat activity described above marks the return of Emotet after nearly a five-month pause. It did not enter into that break with a whimper, however. 

Threat actors used Emotet in multiple attack campaigns before its hiatus. At the beginning of February 2020, IBM X-Force discovered an operation in which attackers had employed coronavirus 2019 as a lure in malspam emails to deliver Emotet via weaponized Word documents. Two weeks later, IBM researchers disclosed a SMiShing campaign in which attackers impersonating well-known banks sent text messages from what appeared to be local U.S. numbers. They used that cover to trick recipients into clicking on a link that redirected them to domains hosting Emotet.

These two attack campaigns, not to mention the use of brute-forcing attacks on local WiFi networks, played a large part in Check Point Research’s decision to name Emotet as the second most-popular malware in February 2020. It came behind Mirai, a threat which at the time was targeting internet of things (IoT) devices with a new vulnerability. It did so as a means of building its botnet and conducting distributed denial-of-service (DDoS) attacks.

How to Defend Against Emotet

Security professionals can help their organizations defend against an Emotet infection first and foremost by investing in a security awareness training program. As part of this education initiative, infosec personnel should regularly test their employees with phishing simulations. Emotet has a history of using email attacks to enter organizations. Therefore, by educating their employees about such campaigns, security professionals will be able to reduce the likelihood of an attack email entering into the organization.

Next, they need to realize that some attack emails will get through employees’ defenses. Therefore, they need to set up some technical controls designed to monitor the network for signs of malicious macros, a common delivery vector for Emotet. They can do this by implementing proper logging, reviewing logs for suspicious activity and performing endpoint scans.

Last but not least, infosec personnel need to stay on top of the latest attack campaigns, partnerships and tactics employed by malware actors such as those responsible for Emotet. The best way they can do this is by using threat intelligence services to prepare themselves against these new developments.

More from

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

DOD establishes Office of the Assistant Secretary of Defense for Cyber Policy

2 min read - The federal government recently took a new step toward prioritizing cybersecurity and demonstrating its commitment to reducing risk. On March 20, 2024, the Pentagon formally established the new Office of the Assistant Secretary of Defense for Cyber Policy to supervise cyber policy for the Department of Defense. The next day, President Joe Biden announced Michael Sulmeyer as his nominee for the role.“In standing up this office, the Department is giving cyber the focus and attention that Congress intended,” said Acting…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today