Emotet Returns Just in Time for the Holidays
Table of Contents
- By Dawna M. Roberts
- Published: Dec 28, 2020
- Last Updated: Mar 18, 2022
Emotet reemerged after a two-month hiatus just in time for the holidays and according to Threatpost, have been targeting 100,000 victims per day. More recent attacks use a fake error message and downloadable DLL to trick users into infections.
What is Emotet?
Emotet started out as a banking Trojan in 2014. After various iterations, it evolved into a downloader with different payloads. Threatpost cautions that Emotet can install various types of malware on your device including “information stealers, email harvesters, self-propagation mechanisms and ransomware.”
It was more recently used during the Democratic National Convention. Before that it was used by hackers to exploit the Trickbot Trojan and send SMS messages posing as the victims’ bank. Typically after some action, the botnet goes dark for a few weeks before showing up again.
Emotet botnet is one of the most damaging and prolific threats capable of emailing a volume of users and infecting a massive amount of devices in one campaign. The most common payloads used by Emotet are Trickbot, Qakbot, and ZLoader.
What Happened?
According to CyWare Social, many of the attacks seen right before Christmas were either COVID-related or Christmas themed:
- “This recent spam campaign started in mid-December and it could lead to compromised business networks, as people are still working from home.
- More than 100k+ messages in English, German, Spanish, Italian, and other languages have been discovered. Lures are using thread hijacking with PW-protected zips, Word attachments, and URLs.
- Emotet has worm-like features that enable network-wide infections. In addition, the trojan now uses modular DLL to regularly update and evolve its capabilities.
- Proofpoint issued alerts on Twitter on December 21 that showed a screenshot of the social engineering trick fooling recipients into turning off a Microsoft 365 feature that blocks malicious documents.”
Emotet Using Tricknot Botnet
Trickbot botnet is a sophisticated network of servers delivery malicious banking Trojans to victims’s computers. Some of the most common uses are for wire fraud, bank account takeovers and ransomware attacks.
The latest threat is using Trickbot botnet and Threatpost warns “We’re seeing 100k+ messages in English, German, Spanish, Italian and more. Lures use thread hijacking with Word attachments, pw-protected zips and URLs.”
Thread jacking is when hackers insert themselves into an existing email thread so that the victim trusts the email and never suspects foul play.
Sherrod DeGrippo told Threatpost “Our team is still reviewing the new samples and thus far we’ve only found minor changes. For example, the Emotet binary is now being served as a DLL instead of an .exe,” DeGrippo said. “We typically observe hundreds of thousands of emails per day when Emotet is operating. This campaign is on par for them. As these campaigns are ongoing, we are doing totals on a rolling basis. Volumes in these campaigns are similar to other campaigns in the past, generally around 100,000 to 500,000 per day.”
Taking Advantage of the Holidays
She also mentioned that typically, Emotet takes a break between December 24 and early January but this year, they ramped up operations. Threat researchers also noted that many of the 100k+ emails asked victims to open a .zip attachment (something cybersecurity professionals always warn against) or provide a password for access.
With the hackers using thread hijacking victims are more apt to trust the recipient and provide the requested information or open attachments. As a final precaution threat assessors warn the public to be extra vigilante around this time. In the past, the holidays were a safer time to let your guard down but not this year. Companies and individuals should be on the watch for anything odd or suspicious right now.