The Emotet botnet is back up and running, after an right-week absences, and has been witnessed carrying out a phishing email campaign that is sharing between 100,000 and 50,0000 emails to recipients daily.

Emotet was first tracked during 2014 and began life as a banking Trojan; however, over the years the malware has evolved. While Emotet remains a banking Trojan, it is now famous as a malware downloader that is used to send a range of secondary payloads. The malware payloads it sends also act as malware downloaders, so infection with Emotet often leads to multiple malware infections, with ransomware often shared as the final payload.

Once Emotet is downloaded on an endpoint it is added to the Emotet botnet and is used for spam and phishing attacks. Emotet sends copies of itself using email to the user’s contacts along with other self-propagation mechanisms to infiltrate other computers on the network. Emotet can be complex to remove from the network. Once one computer is managed, it is often reinfected by other infected computers on the network.

Emotet often goes inactive for many weeks or even months, but even with long gaps in operations, Emotet is still the chief malware threat. Emotet went dormant around February 2020, with activity back live five months later in July. Activity continued until late October when activity stopped once again until Tuesday this week when it came back in time for Christmas. In 2020, Emotet has been observed delivering TrickBot and other payloads like as Qakbot and ZLoader.

During the periods of inactivity, the threat actors responsible for the malware are not necessarily inactive, they just halt their distribution campaigns. During the breaks they update their malware and came back with a new and improved version that is more effective at evading security measures.

The most recent campaign uses similar tactics to past campaigns to maximize the probability of end users clicking on a malicious Office document. The phishing emails are usually personalized to make them look more authentic, with Emotet using hijacked message threats with malicious content included. Since the emails appear to be responses to past conversations between colleagues and contacts, there is a better chance that the recipient will open the email attachment or click a malicious URL.

This campaign targets password-protected files, with the password to open the file supplied in the message text of the email. Since email security solutions cannot open these files, it is more likely that they will be sent to inboxes. The malicious documents shared in this campaign contain malicious macros. If the macros are turned on – which the user is told is necessary to view the content of the document – Emotet will be installed, after which the TrickBot Trojan will be delivered, usually followed by a ransomware variant like as Ryuk.

Earlier campaigns have not shown any additional content when the macros are turned on; however, this campaign displays an error message after the macros have been enabled instructing the user that Word experienced an mistake opening the file. This is likely to make the user think that the Word document has been corrupted. A variety of themes are used for the emails, with the most recent campaign using holiday season and COVID-19 related lures.

A review by Cofense identified several changes in the most recent campaign, including switching the malware binary from an executable (.exe) file to a Dynamic Link Library (.dll) file, which is executed using rundll32.exe. The command-and-control infrastructure has been amended and now uses binary data rather than plain text, both of which make the malware harder to spot

Firms need to be particularly careful and should act swiftly if infections are detected and should take steps to ensure their networks are safeguarded with anti-virus software, security policies, spam filters, and web filters.