Emotet was the most dangerous malware botnet of 2018 and 2019, but the botnet disappeared from February 7, 2020 but it has reappeared is being used to spread Trojan malware.

The botnet was spotted as part of a malicious spam campaign on July 17 of at least 30,000 emails, mostly targeting groups in the United States and United Kingdom. The scale of the campaign has now grown to around 250,000 emails a day with the campaign now worldwide.

The Emotet botnet is a network of computers infected with Emotet malware and there are calculate to be around half a million infected Windows computers under the management of the botnet operators. Those infected devices are contacted through the hackers’ command and control (C2) servers and are sent instructions to send out spam emails distributing Emotet malware.

Once the malware is installed, the infected computer is placed to the botnet and is used to share spam emails. Emotet infections can also spread laterally within a group. When investigations are initiated following the detection of Emotet, it is common for other computers to have the malware installed.

What makes Emotet very dangerous is the operators of the botnet pair up with other threat groups and deliver other strains of malware. Emotet has been used to share a range of malware variants since its creation in 2014, but recently the malware payload of choice was the TrickBot Trojan. TrickBot is a banking trojan cum information harvester that also acts as a malware downloader. In addition to stealing sensitive data, the operators of TrickBot pair up with other malware developers, notably the creators of Ryuk ransomware.  Once TrickBot has stolen data, the baton is passed over to Ryuk, which will also steal data before encrypting files on network. The new Emotet campaign begins by distributing the TrickBot Trojan, although the payload has since changed to the QakBot banking Trojan.  QakBot also delivers ransomware as a secondary payload, with Prolock often used in the past.

Emotet emails use a range of lures to get recipients to click links to malicious websites or open infected email attachments. Emotet targets companies, so the lures used are business related, such as fake shipping notices, invoices, purchase orders, receipts, and job applications. The emails are typically personalized, and the threat actors known to hijack email threads and share responses with malicious documents included.

An Emotet infection is serious and should be dealt with the same urgency as a ransomware attack. Prompt action may permit Emotet to be removed before a secondary payload is sent.

Luckily, Emotet malware is shared using email so that gives companies the chancey to stop infections. By sharing an advanced spam filter like as SpamTitan that has sandboxing to subject email attachments to deep analysis, these malicious emails can be listed and then quarantined. Coupled with other email security steps such as end user training, businesses can mount a robust defense and prevent infections.