Researchers: Emotet Botnet Is Active AgainNew Surge in Activity Spotted After Four-Month Absence
Emotet, one of the most powerful malware-spreading botnets, is active again after a four-month absence, according to several security researchers who noticed a surge in activity primarily against U.S., U.K. and German targets starting on Monday.
In August, researchers at security firm Cofense noticed that command-and-control servers in the wild that were associated with Emotet had been activated, although the botnet itself remained dormant.
As of Monday, however, additional research from several analysts showed that the botnet was spewing out malicious code again, ending a lull since May.
In a series of tweets, researchers at security firm SpamHaus noted that they spotted a phishing campaign associated with Emotet on Monday, with the activity aimed at those who speak English, German, Polish or Italian.
Jason Meurer, a senior research engineer at Cofense, says that whomever is behind the Emotet botnet started to gear up for this attack in late August, with additional code adjustments started around Sept. 9.
"The final step was to begin sending the weaponized emails," Meurer tells Information Security Media Group. "This occurred on Sept. 16 and originated from bots in Germany utilizing the reply-chain tactic at first. It quickly spread to other regions and began sending generic and reply-chain emails on a large scale."
#emotet has resumed spamming operations this morning. We will provide some updates soon.— Cofense Labs (@CofenseLabs) September 16, 2019
Meurer noted that although the U.S., U.K. and Germany were the primary targets of spam and phishing emails, his firm found many other domains around the world were being attacked as of Monday.
A Powerful Botnet
The U.S. Department of Homeland Security has categories Emotet as one of the costliest and most destructive malware botnets ever seen.
The last known case of a large-scale Emotet attack was reported in India in May when a group of 8,000 botnet intrusions targeted several businesses.
In the latest attack launched Monday, the botnet is using a reply chain method to trick users, researchers say. In this method, a phishing email looks like a reply to a previous conversation with an attached word document, which means users can easily be tricked into downloading the document or link.
Emotet is back spamming after months of inactivity. Currently they're using stolen emails to reply to existing email threads with malspam (targeting DE).— MalwareTech (@MalwareTechBlog) September 16, 2019
The document sent from the attackers has a message prompting the user to accept a Microsoft licensing agreement with a genuine-looking Microsoft logo, according to Cofense.
Once the malware is downloaded, Emotet then uses the infected system to send out additional phishing emails and spam in an effort to grow the botnet, researchers say. The end goal of the latest campaign, however, is not yet clear, researchers note.
"Starting earlier this year, we began to see emails that appeared to have content that was scraped appended to the bottom of the email," Meurer says. "In the case of these emails, it appears as though the sender and receiver were in contact previously and that this email is a follow up. By doing this, the Emotet actors are able to create spear phishing-like emails that are relevant and believable to the end user, thus increasing the odds that they will click through."
The word doc template they are using. pic.twitter.com/oRzq6u8gYI— Cofense Labs (@CofenseLabs) September 16, 2019
A study by Sophos categorized attacks fueled by the Emotet botnet to be worse than the WannaCry attack of 2017.
Sophos researchers found as many as 750 varieties of Emotet-related malware by the end of January of this year. Some of the variants are used to deliver other malware, such as TrickBot - another banking Trojan that has found multiple uses - and the Ryuk ransomware, which researchers believe uses Emotet's network propagation capabilities to leverage larger attacks.