Emotet returns, spreading via spam emails and stolen credentials

Emotet was originally developed as a banking Trojan, but was re-written to work as a malware loader

Emotet, the notorious botnet that lay dormant for the past four months, has been awoken, this time taking advantage of stolen email passwords in a new campaign.

According to researchers at Cisco Talos, Emotet went silent at beginning of June, after the activities of its command-and-control (C&2) server dropped to almost nothing.

But after a long summer hiatus, the botnet has again been observed dropping banking Trojans, ransomware, email harvesters, information stealers, and self-propagation mechanisms in a bid to spread across a large number of machines.

Nearly 25 per cent of the spam messages that Emotet sent this week included bodies of previously sent emails

Emotet was originally developed as a banking Trojan, much like Trickbot, but was re-written to work as a malware loader. Today, its operators sell access to the botnet to other threat actors, enabling them to spread their own malware, such as the Ryuk ransomware and TrickBot Trojan.

In the first nine months of 2018, Emotet was removed from 1.5 million systems, according to researchers at security firm Malwarebytes. The threat from Emotet became so critical last year that US-CERT released an alert about its capabilities.

After being silent for around four months, Emotet has been "fully reawakened, and has resumed spamming operations once again", the Cisco Talos threat research team have warned.

The researchers found that after infecting a system and raiding the email inboxes, the malware reads the contact lists in the email account and starts sending spam emails to them. In those spam emails, the malware also quotes the bodies of previous emails that the two parties have participated in.

A follow-up email is also sent with a malicious attachment. The scraping of legitimate email content in the spam emails make it more challenging for humans as well as spam filters to detect.

"It turns out that in addition to stealing the contents of victims' inboxes, Emotet also swipes victims' credentials for sending outbound email," the researchers said.

"Emotet then distributes these stolen email credentials to other bots in its network, who then utilise these stolen credentials to transmit Emotet attack messages."

According to the researchers, nearly 25 per cent of the spam messages that Emotet sent this week included bodies of previously sent emails. In April, just 8 per cent of such spam messages used previously sent mails.

In a separate post, the researchers from Malwarebytes said they have noticed Emotet using another trick, which it first used in April - referring to potential targets by name in subject lines of the message.

"Borrowing a tactic from North Korean nation-state actors, Emotet's creators are bringing back highly sophisticated spear phishing functionality introduced in April 2019, which includes hijacking old email threads and referencing to the user by name," the researchers said.

In August, Cofense Labs was the first security firm to notice operators of Emotet quietly reactivating their command-and-control servers.

Earlier this year when Emotet was active, Recorded Future claimed that Latin America was the epicentre of Emotet Trojan activity.

Back in 2017, following another short break, Emotet returned with what was described as a polymorphic Trojan, capable of evading detection by anti-virus software.