The trojan malware botnet Emotet has reappeared and resumed its business of sending infected spam around the world.
Emotet, considered to be one of today's most dangerous malware botnets, had been dormant for nearly four months. It announced its comeback on September 16, when its signature spam emails arrived in the UK, Italy, Poland, Germany and the US, where individuals, business, and government entities were targeted.
Even though the email sendout started on Monday, the Emotet C2 servers had actually 'awoken' on August 22 and began responding to requests. It's believed that the Emotet operators spent the last few weeks doing a 'spring clean' of the botnet in order to get it ready to resume sending out malicious spam.
Bleeping Computer report that "Emotet is now targeting almost 66,000 unique emails for more than 30,000 domain names from 385 unique top-level domains (TLDs). As for the origin of the malicious emails ... they came from 3,362 different senders, whose credentials had been stolen. The count for the total number of unique domains reached 1,875, covering a little over 400 TLDs."
It's also been confirmed that Emotet's payload was Trickbot, the banking trojan / malware loader, that was a secondary infection dropped by Emotet. The email on which it arrived was well-disguised as "having a financial theme and appearing to come as a reply to a seemingly previous conversation." Once opened, the payload download routine "starts from malicious macro code embedded in a Word document. Recipients are tricked to enable macros via a fake warning that their Word software won't work beyond September 20." To make the email look more genuine, a Microsoft logo was added.
Users who don't realise they have been infected with Trickbot face the chance they may become victim to the Ryuk ransomware somewhere down the line.
At the time of writing, security researchers Cryptolaemus, who are tracking Emotet, are expected to publish free threat intel data.