The actors responsible for the Emotet botnet returned after a four-month period of inactivity with a new malspam campaign.
On 16 September, SpamHaus security researcher Raashid Bhat spotted a spate of new spam emails written in Polish or German that contained malicious attachments or links to malware downloads.
Emotet is fully back in action and spamming. Within the past 15 minutes our researchers have observed activity. #botnet #emotet #ThreatIntel pic.twitter.com/jRTNqph6K0
— Spamhaus (@spamhaus) September 16, 2019
These assets, in turn, exposed recipients to Emotet. These samples enlisted victims’ computers into the Emotet botnet, a network of infection devices which digital attackers are increasingly using as a malware-as-a-service (MaaS) to target users with additional malware such as Ryuk. Lake City is all too familiar with this functionality; back in July 2019, the Florida municipality paid digital attackers $460,000 after suffering a “triple threat” ransomware attack in which the Emotet trojan served as a downloader of Trickbot and Ryuk.
This new campaign arrived after a period of apparent inactivity for the malware. That’s not to say Emotet wasn’t busy in the beginning of the year. Indeed, Proofpoint observed in its “Q1 2019 Threat Report” that Emotet made up 61 percent of malicious payloads in Q1 2019. But then the malware family went quiet soon thereafter, with Check Point observing hardly any new malware campaigns beginning in June.
That being said, Emotet’s revival didn’t come as a surprise to Bhat. As explained by ZDNet:
Bhat believes the Emotet operators have spent the last few weeks re-establishing communications with previously infected bots that they abandoned at the end of May, and spreading across local networks to maximize the size of their botnet before moving on to their main operation — sending out email spam.
It remains unclear why the malware family took a hiatus at the time of this writing.
Whatever this reason, this campaign highlights the need for organizations to defend themselves against malware attacks. They can do so by investing in a solution that’s capable of detecting known malware signatures as well as behavior indicative of zero-day threats. Learn how Tripwire can help.