After a long absence, the botnet, built basing on the Emotet Trojan program, returned to the Internet arena and attacks: it began to generate spam aiming further spreading the malware. Malicious mailings are seen in Germany, Poland, the UK, Italy and the USA.According to observations, Emotet C&C servers did not manifest themselves for three months – according to the nonprofit organization Spamhaus, their activity dropped to zero in early June.
Apparently, the operators of the botnet decided to clean up the fake bots of information security researchers, check the reliability of the infrastructure and replenish the stock of hacked sites for distributing the trojan before launching a new attack. The Emotet team servers only came to life at the end of August; the first messages about the new spam campaign appeared on Twitter on Monday, September 16th.
Commenting on the new surge in botnet activity for Bleeping Computer, Cofense Labs experts noted that they already counted about 66 thousand unique emails with reference to 30 thousand malicious domains in 385 TLD zones, as well as 3362 different senders. Cofense further states that while some campaigns may use a sender list from a predefined targeting category, for the most part there are no defined targets as is common for campaigns this large.
“From home users all the way up to government owned domains. The sender list includes the same dispersion as the targets. Many times we’ve seen precise targeting using a sender who’s contact list appears to have been scraped and used as the target list for that sender. This would include b2b as well as gov to gov”, — report Cofense Labs specialists.
Attackers mainly use financial topics, mask their messages as continuing correspondence and ask them to read the information in the attachment.
As the analysis showed, the attached Microsoft Word document contains a malicious macro. To launch it, the recipient is offered to activate the corresponding option, explaining that it is supposedly necessary to confirm the license agreement with Microsoft – otherwise the text editor will cease to function on September 20. For the sake of persuasiveness, the Microsoft logo is inserted in the false message.
If the user follows the instructions of the attackers, Emotet will be downloaded to his machine. Currently, only about half of the antiviruses from the VirusTotal collection recognize a malicious attachment.
However, expanding Emotet ownership is not the only goal of the new spam campaign. Based on the victim’s computer, the malware cites another trojan – Trickbot.
“At the beginning there was no definitive answer on the payload, only unconfirmed reports that some U.S.-based hosts received Trickbot, a banking trojan turned malware dropper, as a secondary infection dropped by Emotet”, — reported in Cofense Labs.
Information security experts have been monitoring Emotet since 2014. Over the past period, this modular malware, originally aimed at stealing money from online accounts, has gained many new features – in particular, it learned to steal credentials from applications, spread independently on a local network and download other malware. The botnet, created on its basis, leased to other attackers and is often used to spread banking Trojan.