Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management

Update: Emotet Botnet Delivering Qbot Banking Trojan

Malware Spreading Via Malicious Emails
Update: Emotet Botnet Delivering Qbot Banking Trojan
A spam email with a malicious attachment that attempts to install Emotet on a device (Source: Proofpoint)

The Emotet botnet, which recently surged back to life after a months-long hiatus, is now delivering the Qbot banking Trojan to victims' devices, security researchers say.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

Since researchers first spotted a resurgent Emotet on Friday, more than 800,000 malicious spam emails have been detected attempting to deliver the malware to victims' devices and increasing the size of the botnet, according to the security firm Proofpoint. In most cases, the emails contained malicious Microsoft Word attachments or URL links that enable macros that help install malware.

The malspam campaign that is spreading the Emotet botnet has been spotted in the U.S., U.K., Canada, Austria, Germany, Brazil, Italy and Spain, says Sherrod DeGrippo, senior director of threat research and detection at Proofpoint.

"As in previous Emotet campaigns, the payload is delivered either through a malicious attachment, a URL in the email body, or an attachment with a link to the malicious download," DeGrippo tells Information Security Media Group. "The email lures are short and often in the language of the intended recipient, though they are otherwise not customized."

Emotet and Qbot

While security researchers and the U.S. Cybersecurity and Infrastructure Security Agency consider Emotet one of the most dangerous malware strains now in use, an even greater threat from the botnet is its ability to deliver other malicious code, security researchers say.

While Emotet has previously been associated with malware such as TrickBot and various ransomware strains, this latest campaign appears designed to deliver a banking Trojan known as Qbot or Qakbot, according to Cryptolaemus, a group of security researchers who track and attempt to disrupt the botnet.

Proofpoint has also seen evidence of Emotet attempting to deliver Qbot. "Given the highly versatile nature of this threat, we may see additional changes as more messages are distributed," DeGrippo says.

The Emotet botnet comprises separate subgroups or "epochs" that each have their own command-and-control infrastructure and can deliver malware. In this latest campaign, researchers with Cryptolaemus, as well as security firm Intel 471, found that several Emotet epochs were attempting to deliver Qbot.

Qbot, which has been active since 2008, is primarily designed to steal the data and credentials of banking customers. In June, researchers with F5 Labs uncovered a Qbot campaign that targeted customers of several large financial institutions, including JPMorgan Chase, Citibank, Bank of America, Citizens, Capital One and Wells Fargo among others (see: Researchers: Qbot Banking Trojan Making a Comeback).

In 2014, Proofpoint found that Qbot was able to compromise about 800,000 banking credentials during a single campaign (see: Hackers Grab 800,000 Banking Credentials).

Emotet's History

Emotet first appeared as a banking Trojan in 2014. Over the years, its operators have adjusted its code, and it now primarily works as a botnet delivering other malware to infected devices, according to security researchers.

Emotet frequently re-emerges after periods of inactivity. This happened again on Friday, when it appeared for the first time since February.

After a previous four-month absence, Emotet came back to life in September 2019 and continued sending out malicious spam and phishing emails until it went quiet again in February (see: Researchers: Emotet Botnet Is Active Again).

Managing Editor Scott Ferguson contributed to this report.


About the Author

Chinmay Rautmare

Chinmay Rautmare

Senior Correspondent

Rautmare is senior correspondent on Information Security Media Group's Global News Desk. He previously worked with Reuters News, as a correspondent for the North America Headline News operations and reported on companies in the technology, media and telecom sectors. Before Reuters he put in a stint in broadcast journalism with a business channel, where he helped produced multimedia content and daily market shows. Rautmare is a keen follower of geo-political news and defense technology in his free time.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.