News

Malware Botnet Emotet Awakes and Resumes its Spamming Campaign

Giulio Saggin
Giulio Saggin
Tuesday 28 November 2023

The trojan malware botnet Emotet has reappeared and resumed its business of sending infected spam around the world.

Emotet, considered to be one of today's most dangerous malware botnets, had been dormant for nearly four months. It announced its comeback on September 16, when its signature spam emails arrived in the UK, Italy, Poland, Germany and the US, where individuals, business, and government entities were targeted.

Even though the email sendout started on Monday, the Emotet C2 servers had actually 'awoken' on August 22 and began responding to requests. It's believed that the Emotet operators spent the last few weeks doing a 'spring clean' of the botnet in order to get it ready to resume sending out malicious spam.

Bleeping Computer report that "Emotet is now targeting almost 66,000 unique emails for more than 30,000 domain names from 385 unique top-level domains (TLDs). As for the origin of the malicious emails ... they came from 3,362 different senders, whose credentials had been stolen. The count for the total number of unique domains reached 1,875, covering a little over 400 TLDs."

It's also been confirmed that Emotet's payload was Trickbot, the banking trojan / malware loader, that was a secondary infection dropped by Emotet. The email on which it arrived was well-disguised as "having a financial theme and appearing to come as a reply to a seemingly previous conversation." Once opened, the payload download routine "starts from malicious macro code embedded in a Word document. Recipients are tricked to enable macros via a fake warning that their Word software won't work beyond September 20." To make the email look more genuine, a Microsoft logo was added.

Users who don't realise they have been infected with Trickbot face the chance they may become victim to the Ryuk ransomware somewhere down the line.

At the time of writing, security researchers Cryptolaemus, who are tracking Emotet, are expected to publish free threat intel data.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203