Emotet started as a banking trojan some five years ago but has turned into so much more. Nowadays, it has become one of the most dangerous botnets and malware droppers-for-hire in the world. To fully monetize the attacks, Emotet often drops new banking trojans, email harvesters, self-propagation mechanisms, information stealers, and even ransomware.
Security researchers noted that the threat actors behind Emotet took a summer vacation, starting in June 2019, in which even the command and control (C2) activities came to a halt. As the summer months began to come to their conclusion, however, security researchers began to see an increase in the activity of Emotet's C2 infrastructure. As of September 16, 2019, Emotet is already in full gear with a reinvigorated spam campaign, relying on social engineering.
Emotet targets computer users through enticing spam email campaigns
One of the most ingenious and menacing ways through which Emotet infected victims was through stolen email content. The malware would swipe a victim's inbox and copy existing conversations, which it will then use in its own emails. Emotet will quote the bodies of real messages in a "reply" to a victim's unread email, in a bid to trick them into opening a malware-laced attachment, usually in the guise of a Microsoft Word document.
It doesn't take a lot of imagination to see how someone expecting a reply to an ongoing conversation could be fooled in this manner. Furthermore, by mimicking existing email conversations, including genuine email contents and Subject headers, the messages become much more randomized and challenging to filter by anti-spam systems.
What's interesting is that Emotet doesn't use the email from which it stole content to send it to a potential victim. Instead, it sends the lifted conversation to another bot in the network, which then sends the email from an entirely different location, using a completely separate outbound SMTP server.
According to security researchers, Emotet used stolen email conversations in about 8.5 percent of attack messages before its summer hiatus. Since the vacation season has come to a close, however, this tactic has become more prominent, accounting for almost a quarter of all of Emotet's outbound email traffic.
Cybercrooks leverage Emotet to steal personal data
The tools at the disposal of cybercrooks looking to steal personal information from computers is virtually endless. It just so happens that Emotet is a type of malware threat that is highly effective at leveraging in a way to launch mass spam email campaigns that spreads malware designed to steal data from an unsuspecting computer user. The way in which Emotet works is to open up a backdoor for other high-risk computer threats, such as the Dridex trojan horse, which is specifically designed to steal data from a computer user using aggressive phishing techniques.
This Week in Malware Video: Episode 1 covering the triple threat campaign of Emotet, Trickbot & Ryuk Ransomware are stealing and ransoming data.
When used by the right type of hacker or cybercrook, Emotet may be used in a way to infiltrate a computer to load and install multiple malware threats. Even so, the additionally installed threats may be more dangerous where they may connect to command and control (C&C) servers to download instructions to carry out on the infected system.
The effects of Emotet should never be taken lightly
In any case of a malware threat as far-reaching as Emotet, computer users should take necessary precautions to prevent an attack from such. On the flip side, those who have been attacked by Emotet will want to find the necessary resource to safely detect and eliminate the threat. If one allows Emotet to run on a computer for a long period of time, the risk of having data pilfered exponentially increases.
Computer users who may delay in eliminating Emotet or taking the proper precautions will put their personal data stored on their PC at risk, which could lead to serious issues like identity theft. Moreover, Emotet is a difficult threat to detect, which is a process that is primarily done by an updated antimalware resource or application.
At all times, computer users should utilize caution when opening emails with attachments, specifically ones that contain attachments in the form of Microsoft Word documents, which is known to be a method that Emotet uses to spread malware.
The return of Emotet
At one point in 2019, Emotet's command and control servers where shuttered leaving systems infected by the threat free from being under the control of the perpetrators behind Emotet. However, not too soon after the shut-down of the C&C servers, Emotet came back from the dead where hackers not only gained control of Emotet, but they are using legitimate websites to spread the threat via spam campaigns by first hacking the sites.
Emotet’s developers have reportedly targeted about 66,000 email addresses for over 30,000 domain names, many of those domains belonging to legitimate sites that were hacked. Some of the legitimate sites attacked by the creators of Emotet are the following:
Fundamentally, we will see an increase in malware infections as sure as time progresses. As researchers from Cisco Talos noted: "When a threat group goes silent, it's unlikely they'll be gone forever," elaborating: "Rather, this opens up the opportunity for a threat group to return with new IOCs, tactics, techniques, and procedures or new malware variants that can avoid existing detection."
File System Details
|#||File Name||Size||MD5||Detection Count|
This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.