The Emotet Botnet Comes Back to Life
One of the largest botnets was disrupted and shut down in an international law enforcement operation that took place in early 2021. Now, more than a year later, the same botnet is showing signs of life once again, and it seems that it has grown some new horns and spines in the time it lay dormant. The botnet in question is the infamous Emotet bot network - a web of compromised devices used for different malicious purposes.
What is Emotet?
A botnet could be used for a number of malicious tasks by the party controlling the compromised devices or "bots". In the case of Emotet, the network was used to spread malware and bots were rented out to other malicious parties, similar to the ransomware-as-a-service model, only selling access to the compromised device infrastructure.
Now, a research team with security firm Proofpoint has identified "low-volume Emotet activity", describing it as "drastically" different from the regular way the Emotet botnet was operated.
Emotet is now being distributed using email campaigns. The email addresses that the malicious messages originate from seem to be compromised, according to researchers, because the Emotet spam module was not used to push them out to recipients.
New malicious email campaign spreads Emotet
The emails were simple in structure - one-word subject strings, such as "Salary". This is a simple but effective trick to pique victim attention and get the user to click through whatever is contained in the email. In this case, the emails contain just a single link to OneDrive.
The OneDrive links point to MS Excel XLL files, placed in a zip archive. The archive files and Excel document contained in them are all named similarly to the subject of the mail. In the example provided by Proofpoint, the archive was named "Salary_new.zip" and the Excel file inside it - "Salary_and_bonuses-04.01.2022.xll".
Once the user extracts the Excel file and attempts to open it, Emotet is dropped and deployed.
Given the low-volume nature of the campaign, contrasted to the usual high-volume aggressive spam approach used by Emotet previously, researchers believe the malware operators are testing out new approaches and techniques and are testing new ways to avoid automated detection.