Cybercrime , Endpoint Detection & Response (EDR) , Endpoint Security

Researchers: Emotet Botnet Is Active Again

New Surge in Activity Spotted After Four-Month Absence
Researchers: Emotet Botnet Is Active Again

Emotet, one of the most powerful malware-spreading botnets, is active again after a four-month absence, according to several security researchers who noticed a surge in activity primarily against U.S., U.K. and German targets starting on Monday.

See Also: Sandboxing Case Study: Old vs. New Technologies

In August, researchers at security firm Cofense noticed that command-and-control servers in the wild that were associated with Emotet had been activated, although the botnet itself remained dormant.

As of Monday, however, additional research from several analysts showed that the botnet was spewing out malicious code again, ending a lull since May.

In a series of tweets, researchers at security firm SpamHaus noted that they spotted a phishing campaign associated with Emotet on Monday, with the activity aimed at those who speak English, German, Polish or Italian.

Jason Meurer, a senior research engineer at Cofense, says that whomever is behind the Emotet botnet started to gear up for this attack in late August, with additional code adjustments started around Sept. 9.

"The final step was to begin sending the weaponized emails," Meurer tells Information Security Media Group. "This occurred on Sept. 16 and originated from bots in Germany utilizing the reply-chain tactic at first. It quickly spread to other regions and began sending generic and reply-chain emails on a large scale."

Meurer noted that although the U.S., U.K. and Germany were the primary targets of spam and phishing emails, his firm found many other domains around the world were being attacked as of Monday.

A Powerful Botnet

The U.S. Department of Homeland Security has categories Emotet as one of the costliest and most destructive malware botnets ever seen.

The last known case of a large-scale Emotet attack was reported in India in May when a group of 8,000 botnet intrusions targeted several businesses.

In the latest attack launched Monday, the botnet is using a reply chain method to trick users, researchers say. In this method, a phishing email looks like a reply to a previous conversation with an attached word document, which means users can easily be tricked into downloading the document or link.

The document sent from the attackers has a message prompting the user to accept a Microsoft licensing agreement with a genuine-looking Microsoft logo, according to Cofense.

Once the malware is downloaded, Emotet then uses the infected system to send out additional phishing emails and spam in an effort to grow the botnet, researchers say. The end goal of the latest campaign, however, is not yet clear, researchers note.

"Starting earlier this year, we began to see emails that appeared to have content that was scraped appended to the bottom of the email," Meurer says. "In the case of these emails, it appears as though the sender and receiver were in contact previously and that this email is a follow up. By doing this, the Emotet actors are able to create spear phishing-like emails that are relevant and believable to the end user, thus increasing the odds that they will click through."

Dangerous Emotet

A study by Sophos categorized attacks fueled by the Emotet botnet to be worse than the WannaCry attack of 2017.

Sophos researchers found as many as 750 varieties of Emotet-related malware by the end of January of this year. Some of the variants are used to deliver other malware, such as TrickBot - another banking Trojan that has found multiple uses - and the Ryuk ransomware, which researchers believe uses Emotet's network propagation capabilities to leverage larger attacks.

About the Author

Apurva Venkat

Apurva Venkat

Special Correspondent

Venkat is special correspondent for Information Security Media Group's global news desk. She has previously worked at companies such as IDG and Business Standard where she reported on developments in technology, businesses, startups, fintech, e-commerce, cybersecurity, civic news and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.