Three days ago, Emotet, a dangerous malware botnet was found sending malicious emails to many countries around the globe. The maligned email with Emotet’s signature was first spotted on the morning of September 18th in countries like Germany, the United Kingdom, Poland, Italy, and the U.S.A. by targeting their individuals, businesses, and government entities. This is not Emotet’s first outing, as it has been found to be used as a banking trojan in 2014.
Emotet is back spamming after months of inactivity. Currently they're using stolen emails to reply to existing email threads with malspam (targeting DE).
— MalwareTech (@MalwareTechBlog) September 16, 2019
If any receiver of the infected mail unknowingly downloaded and executed it, they may have exposed themselves to the Emotet malware. Once infected, the computer is then added to the Emotet botnet which uses the particular computer as a downloader for other threats. The Emotet botnet was able to compromise many websites like customernoble.com, taxolabs.com, www.mutlukadinlarakademisi.com, and more.
In a statement to BleepingComputer, security researchers from email security corp Cofense Labs said, “Emotet is now targeting almost 66,000 unique emails for more than 30,000 domain names from 385 unique top-level domains (TLDs).” The origin of the malicious emails are suspected to be from “3,362 different senders, whose credentials had been stolen. The count for the total number of unique domains reached 1,875, covering a little over 400 TLDs.”
Brad Duncan, a security researcher also reported that some U.S.-based hosts received Trickbot, which is a banking trojan turned malware dropper. Trickbot is a secondary malware infection dropped by Emotet.
2019-09-16 – I think most everyone knows that the #Emotet #malspam started up again today – Here's some infection traffic where #Trickbot (gtag: mor1) is the follow-up malware: https://t.co/6OUn1nHBv5 pic.twitter.com/Dfm7192S6d
— Brad (@malware_traffic) September 16, 2019
What did Emotet botnet do in its last outing?
According to BleepingComputer, the Command and control (C2) servers for the Emotet botnet had got active in the beginning of June 2019 but did not send out any instructions to infected machines, until August 22. Presumably, the bot was taking time to rebuild themselves, establish new distribution channels and preparing for new spam campaigns. In short, it was under maintenance. Benkøw, a security researcher had listed a list of stages required for the botnet to respawn a malicious activity.
They reuse the old IPs so they need time to:
– Grab old/new bots (it's Friday it's not a glorious day for botnets)
– remove ALL the AV bots from today on the panel lol
– Run some tests for bypassing anti spam product
– Prepare the campaign for the next Clients
etc it takes time
— Benkøw moʞuƎq (@benkow_) August 23, 2019
Therefore, Emotet’s arrival was not a surprise to many security researchers, as it was expected that the Emotet botnet would revive sooner or later.
How does the Emotet botnet function?
Discovered in 2014, Emotet was originally designed as a banking trojan to target mostly German and Austrian bank customers by stealing their login credentials. However, over time it has evolved into a versatile and effective malware attack.
Once a device is infected, the Emotet botnet tries to penetrate the associated systems via brute-force attacks. This enables Emotnet to perform DDoS attacks or to send out spam emails after obtaining a user’s financial data, browsing history, saved passwords, and Bitcoin wallets. On the other hand, the infected machine comes in contact with Emotet’s Command and Control (C&C) servers to receive updates. It also uses its C&C servers as a junkyard for storing the stolen data. Per Cyren, a single Emotet bot can send a few hundred thousand emails in just one hour, which means that it is capable of sending a few million emails in a day.
Emotet delivers modules to extract passwords from local apps, which is then spread sideways to other computers on the same network. It is also capable of stealing the entire email thread to be later reused for spam campaigns. Emotet also provides Malware-as-a-Service (MaaS) to other malware groups to rent access to the Emotet-infected computers.
Meanwhile, many people on Twitter are sharing details about Emotet for others to watch out.
New activity heralds the return of #emotet.
Here is a simple bulletin for all users that you are free to share with your family, friends and audience. The malware has been used in attacks that include stealing banking information.https://t.co/VU6W1x7kI2@9NewsAUS @6PR
— BenAylett.com (@BenAylett) September 19, 2019
— hiro_ (@papa_anniekey) September 17, 2019
— Eric Vanderburg (@evanderburg) September 17, 2019
Interested readers can check out the Malware security analysis report for more information.
Also, head over to BleepingComputer for more details.