Emotet, a dangerous botnet spams malicious emails, “targets 66,000 unique emails for more than 30,000 domain names” reports BleepingComputer

Three days ago, Emotet, a dangerous malware botnet was found sending malicious emails to many countries around the globe. The maligned email with Emotet’s signature was first spotted on the morning of September 18th in countries like Germany, the United Kingdom, Poland, Italy, and the U.S.A. by targeting their individuals, businesses, and government entities. This is not Emotet’s first outing, as it has been found to be used as a banking trojan in 2014.

If any receiver of the infected mail unknowingly downloaded and executed it, they may have exposed themselves to the Emotet malware. Once infected, the computer is then added to the Emotet botnet which uses the particular computer as a downloader for other threats. The Emotet botnet was able to compromise many websites like customernoble.com, taxolabs.com, www.mutlukadinlarakademisi.com, and more.

In a statement to BleepingComputer, security researchers from email security corp Cofense Labs said, “Emotet is now targeting almost 66,000 unique emails for more than 30,000 domain names from 385 unique top-level domains (TLDs).” The origin of the malicious emails are suspected to be from “3,362 different senders, whose credentials had been stolen. The count for the total number of unique domains reached 1,875, covering a little over 400 TLDs.”

Brad Duncan, a security researcher also reported that some U.S.-based hosts received Trickbot, which is a banking trojan turned malware dropper. Trickbot is a secondary malware infection dropped by Emotet.

What did Emotet botnet do in its last outing?

According to BleepingComputer, the Command and control (C2) servers for the Emotet botnet had got active in the beginning of June 2019 but did not send out any instructions to infected machines, until August 22. Presumably, the bot was taking time to rebuild themselves, establish new distribution channels and preparing for new spam campaigns. In short, it was under maintenance. Benkøw, a security researcher had listed a list of stages required for the botnet to respawn a malicious activity.

Therefore, Emotet’s arrival was not a surprise to many security researchers, as it was expected that the Emotet botnet would revive sooner or later.

How does the Emotet botnet function?

Discovered in 2014, Emotet was originally designed as a banking trojan to target mostly German and Austrian bank customers by stealing their login credentials. However, over time it has evolved into a versatile and effective malware attack.

Once a device is infected, the Emotet botnet tries to penetrate the associated systems via brute-force attacks. This enables Emotnet to perform DDoS attacks or to send out spam emails after obtaining a user’s financial data, browsing history, saved passwords, and Bitcoin wallets. On the other hand, the infected machine comes in contact with Emotet’s Command and Control (C&C) servers to receive updates. It also uses its C&C servers as a junkyard for storing the stolen data. Per Cyren, a single Emotet bot can send a few hundred thousand emails in just one hour, which means that it is capable of sending a few million emails in a day.

Emotet delivers modules to extract passwords from local apps, which is then spread sideways to other computers on the same network. It is also capable of stealing the entire email thread to be later reused for spam campaigns. Emotet also provides Malware-as-a-Service (MaaS) to other malware groups to rent access to the Emotet-infected computers.

Meanwhile, many people on Twitter are sharing details about Emotet for others to watch out.

Interested readers can check out the Malware security analysis report for more information.

Also, head over to BleepingComputer for more details.

Latest news in Security

LastPass patched security vulnerability from the extensions generated on pop-up windows

An unsecured Elasticsearch database exposes personal information of 20 million Ecuadoreans including 6.77M children under 18

UK’s NCSC report reveals significant ransomware, phishing, and supply chain threats to businesses