Updated on 2022-11-21: Emotet’s return
Deep Instinct researchers have an analysis of Emotet’s return, the infamous spam botnet that has been asleep since June this year. More on this from Proofpoint too. Read more:
Updated on 2022-11-18: Emotet’s return
Proofpoint has a detailed write-up of the recent Emotet spam campaigns after the botnet came back from its most recent hiatus, with the botnet ceasing all activity between June and November 2022. As Proofpoint’s Sherrod DeGrippo told RiskyBizNews in our latest podcast, this comeback involved lots of international lures targeting users using phishing emails in different languages, such as Greek, German, French, Italian, Japanese, Portuguese, and Spanish. Read more: A Comprehensive Look at Emotet’s Fall 2022 Return
Updated on 2022-11-17
Emotet has returned to the threat landscape after a hiatus of four months, noted Proofpoint researchers. In a new update, it is now dropping IcedID. Read more: A Comprehensive Look at Emotet’s Fall 2022 Return
Updated on 2022-11-09: Emotet back from the dead
Cisco Talos has analyzed the recent email malspam campaigns coming out from the Emotet botnet, which recently came back to life after being dormant for months since June this year. Read more: Emotet coming in hot
🚨Emotet back in Distro Mode🚨 – As of 0800 UTC E4 began spamming and as of 0930 UTC E5 began spamming again. Looks like Ivan is in need of some cash again so he went back to work. Be on the lookout for direct attached XLS files and zipped and password protected XLS. 1/x
— Cryptolaemus (@Cryptolaemus1) November 2, 2022
Updated on 2022-11-04: Welcome back, Emotet
After stopping operations back in June, the Emotet botnet is back at its old tricks, sending out new email spam waves in search of new victims. Read more: Emotet botnet starts blasting malware again after 4 month break
🚨Emotet back in Distro Mode🚨 – As of 0800 UTC E4 began spamming and as of 0930 UTC E5 began spamming again. Looks like Ivan is in need of some cash again so he went back to work. Be on the lookout for direct attached XLS files and zipped and password protected XLS. 1/x
— Cryptolaemus (@Cryptolaemus1) November 2, 2022
Updated on 2022-10-31
Elastic’s security team has published an analysis of Emotet’s new encoding format the malware uses to store and protect its configuration. Read more: EMOTET Dynamic Configuration Extraction
Updated on 2022-10-30
The VMware Threat Analysis Unit has put out a 68-page report on the activities of the new incarnation of the Emotet botnet, which returned to activity in January this year after being taken down by law enforcement in 2021. Read more: Emotet Exposed: A Look Inside the Cybercriminal Supply Chain
Updated on 2022-10-21
Trustwave SpiderLabs spotted a rise in threats contained in password-protected archives, with 96% of these being spammed by Emotet. Read more: Nested self-extracting RAR
Updated on 2022-10-20
Because Dridex operated on a closed model, providing limited access to their botnet to only a handful of very carefully vetted operators, Emotet, and later TrickBot, cornered the market in MaaS services working with ransomware gangs. Read more: More on URSNIF (Gozi/IFSB)
Updated on June 2022: Emotet update
The Emotet malware has returned to deploying an SMB spreader module to allow it to move laterally across an infected network. Read more: Emotet SMB spreader overview
Emotet deploys credit card stealer
The same Proofpoint Threat Insights team also reported a major change in the Emotet botnet, which made a comeback last year. According to the security firm, in recent attacks, a section of the Emotet botnet also tried to load a payment card stealer module inside the Chrome browser. Proofpoint said that “once card details were collected they were exfiltrated to different C2 servers than the module loader,” suggesting the data might have been collected by someone running tests or who rented access to the Emotet botnet for this particular operation.
On June 6th, Proofpoint observed a new #Emotet module being dropped by the E4 botnet. To our surprise it was a credit card stealer that was solely targeting the Chrome browser. Once card details were collected they were exfiltrated to different C2 servers than the module loader. pic.twitter.com/zy92TyYKzs
— Threat Insight (@threatinsight) June 7, 2022
Updated on May 2022: Emotet botnet
The Trend Micro team has published a technical report on the recent malspam campaigns carried out by the Emotet botnet since its return this winter.
Updated on December 2021: Microsoft December Patch Tuesday
Microsoft’s monthly security updates for December 2021 comprises fixes for more than 65 vulnerabilities, including one for a zero-day flaw in AppX installer that has been used to spread Emotet malware. The batch of fixes also fixes an issue that prevented Defender for Endpoint from launching on certain systems.
Note
- Remember patch Tuesday or were you distracted by another security concern? So far, pushing this update has been smooth and the fix to Defender not launching will relieve some of the stress caused by that issue. Make sure your team is on this update as well as the Apple updates also released. Note that the zero-day (CVE-2021-43890) in the AppX installer is being actively exploited.
- The actively exploited vulnerability is being used by multiple initial access groups and then sold via initial access brokers to other groups including ransomware. It is a busy month for patching but try to get these done before the holidays. Many organizations try to implement year-end freezes. These should not be in scope of that.
Read more in
- December 2021 Security Updates
- Microsoft Patches Zero-Day Spreading Emotet Malware
- Microsoft closes installer hole abused by Emotet malware, Google splats Chrome bug exploited in the wild
- Microsoft Patch Tuesday, December 2021 Edition
- Microsoft fixes bug blocking Defender for Endpoint on Windows Server
Updated on April 2021: Update Delivered by Law Enforcement in January is Now Deleting Emotet
Over the weekend, law enforcement officials activated code that erases Emotet malware from infected computers. In late January 2021, law enforcement agencies from several countries took control of Emotet’s command and control infrastructure. Shortly thereafter, Germany’s federal police agency, Bundeskriminalamt, began pushing out the update designed to remove Emotet.
Note:
- The uninstaller was delivered by the captured Emotet C2 servers in late January with a self-destruct date of April 25th. The package addresses the two ways Emotet achieves persistence: either as a system service or a Run key. The Malwarebytes blog explains the behavior of the package and actions it takes. Per the US DOJ, the update was provided by foreign law enforcement using overseas C2 servers, not FBI agents. The delay between distribution and removal was to give time for responders to complete forensic analysis and cleanup of any other related malware.
- The Emotet takedown appears to be one of the more successful takedowns in recent memory. A lot has been written about law enforcement pushing an update to remove the malware (similar also to recent law enforcement action against unpatched Exchange servers). I believe we should and hopefully will see more of the same in the future. Waiting for users to patch and fix their systems hasn’t been working and these systems become ticking timebombs waiting for additional infections, or being used to revive taken down botnets.
Read more in:
- Cleaning up after Emotet: the law enforcement file
- Emotet malware self-destructs after cops deliver time-bomb DLL to infected Windows PCs
- Following similar move in US, Europol prepares coup de gras for Emotet’s remains
- This software update is deleting botnet malware from infected PCs around the world
- Emotet malware nukes itself today from all infected computers worldwide
- Law enforcement delivers final blow to Emotet
- Emotet Malware Automatically Uninstalled
Updated on March 2021: TrickBot Warning
The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued a joint alert warning of “continued targeting through spearphishing campaigns using TrickBot malware.” A group of cybersecurity companies took steps to dismantle the TrickBot infrastructure last fall. The effort disrupted TrickBot operations for several weeks. The CISA/FBI alert provides a list of suggested mitigations, including blocking suspicious IP addresses, using antivirus software, and providing phishing and social engineering training to employees.
Note:
- TrickBot is getting more exposure after legal actions shut down some competing botnets. Please do not focus too much on blocking specific IP addresses as they tend to change quickly. One interesting method to detect TrickBot is by inspecting TLS certificates. Tools like Zeek are excellent to collect this information and it tends to be quite useful not just for TrickBot.
- Attackers use TrickBot to drop other malware such as Ryuk and Conti ransomware, or serve an Emotet downloader. The Alert warning below includes a layout of TrickBot’s techniques, mapped to MITRE ATT&CK techniques. That mapping can be used to help others understand the relevance of ATT&CK. Mitigations include user training, policy and procedures for reporting suspect email, firewall rules as well as segmenting systems to limit lateral movement. I have seen great success in reporting by adding a reporting button to email clients. Note: You will have to respond to reported messages for use to continue past the initial rollout.
Read more in:
- Alert (AA21-076A) TrickBot Malware
- FBI: Phishing emails are spreading this sophisticated malware
- Five Months After Takedown Attempt, CISA and FBI Warn of Ongoing TrickBot Attacks
Updated on January 2021: International Effort Disrupts Emotet Operations
Law enforcement agencies and judicial systems authorities from Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine have worked together to disrupt functionality of the Emotet malware. The operation took control of Emotet’s command-and-control infrastructure, which comprised hundreds of servers around the world. At least two people have been arrested in Ukraine in connection with the operation. Law enforcement officials in the Netherlands are delivering an Emotet update that will remove it from infected devices on April 25, 2021. Read more in:
- World’s Most Dangerous Malware Emotet Disrupted Through Global Action
- The Cybersecurity 202: International law enforcement took down a leading cybercrime gang
- Cops Disrupt Emotet, the Internet’s ‘Most Dangerous Malware’
- Authorities plan to mass-uninstall Emotet from infected hosts on April 25, 2021
- International Action Targets Emotet Crimeware
- Intl. Law Enforcement Operation Disrupts Emotet Botnet
- Authorities Take Down Emotet Botnet
Updated on September 2020: New Qbot Trojan (Pinkslipbot) evolved called Emotet
Exhibited new features and a new command-and-control infrastructure to insert itself into the legitimate email threads and distributing ransomware, according to CheckPoint research report: An Old Bot’s Nasty New Tricks: Exploring Qbot’s Latest Attack Methods.
Updated on July 2020: Emotet Botnet is Back
The Emotet botnet, which has been dormant since early February 2020, has re-emerged. On Friday, the botnet became active again, sending spam in an attempt to infect new users with the malware using malicious Word and Excel documents.
Read more in:
- Emotet botnet returns after a five-month absence
- There’s a reason your inbox has more malicious spam—Emotet is back
- Emotet spam trojan surges back to life after 5 months of silence
Updated on April 2020: Microsoft DART Case Report: Emotet Caused Full Operational Shutdown
Microsoft’s Detection and Response Team (DART) has published a case report that describes an incident in which the Emotet malware shut down an entire operational network. The attack began with a malicious attachment to a phishing email. Once the attackers gained purchase within the system, they proceeded to spread Emotet throughout the system. Emotet updated with new definitions every few days, enabling it to evade detection by antivirus programs. The malware maxed out computers’ CPUs and consumed the network’s bandwidth, shutting down the company’s core services.
Note: “Phishing” and other attacks designed to dupe and exploit users will continue to be the Achilles heel of the enterprise unless and until we isolate e-mail and browsing from other enterprise applications.
Read more in:
- Full Operational Shutdown (PDF)
- Full Operational Shutdown—another cybercrime case from the Microsoft Detection and Response Team
- Microsoft: Emotet Attack Shut Down an Entire Business Network
- Microsoft: Emotet Took Down a Network by Overheating All Computers
Oveview: New Emotet Variant Can Spread Through Wi-Fi Networks
A recently-detected variant of Emotet malware has the ability to spread from infected devices to nearby unsecured Wi-Fi networks. From there, it can attempt to infect connected devices. When Emotet first appeared more than five years ago, it was a banking Trojan. Over the years, it has gained the ability to install a variety of malware on infected devices.
Note: The Japanese CERT, JP-CERT, has a great write up on this malware at www.jpcert.or.jp: [Updated] Alert Regarding Emotet Malware Infection, and they have also released a tool to check for Emotet called EmoCheck; it can be downloaded from the JP-CERT GIT Repository: github.com: JPCERTCC / EmoCheck
Read more in:
