Blog

The Return of Emotet

If you had a chance to read our quarterly threat landscape report, you might have noticed that our data showed Emotet activity significantly decreasing. However, our researchers predicted that it would resurface with new tactics. Sure enough, they were right.

See what else our data found in our Quarterly Threat Report

In our recent webinar, one of our security analysts, Shawn Pope, discusses Emotet and his predictions for its impact on return.


Shawn Pope: “Emotet is starting to pop back up and it’s coming in in different formats, it’s coming in with different payloads. Not only will it have Emotet but it might also have Agent Tesla in there with it. And so, it’s already on the rise and I wouldn’t be surprised we start seeing it everywhere again. We’re going to start seeing these large-scale campaigns to wear back to the you know email security stuff and just a fire and for fire and forget.”

“That’s what’s gonna happen. We’re going to see these massive campaigns on our e-mail solution that we have. We’ll see pages worth; everything we’ll have the same subject line it’ll be from all different types of emails. At the end of the day they’re trying to get something out to everybody and that’s when we go back to that fire forget like they’re just blasting us out to any email they have. If they get one or two people you know it’s successful in their eyes. So definitely, like I said Emotet, it is going to be on its way back to banking malware.”

“So if you get infected by this what it’s trying to do is look for it’s going to look through your web browsing your different browsers and look for maybe bookmarks to your banking or something like that and then it can try to harvest credentials, ultimately infiltrate that data and from there that’s financial also you may be having to be identity theft know they might sell it on the black market for three dollars I don’t know but they’re looking to get it.”

Want to hear more? Click here to view the full webinar.

Shortly after our webinar, our security analytics team detected more Emotet activity.  According to our Security Analytics Team, Emotet has reappeared and resumed its business of sending infected spam email around the world. Considered one of today’s most dangerous malware botnets, Emotet had been dormant for the past four months. On September 16th the spam emails continued in the UK, Italy, Poland, Germany and the US and even though the C2 servers had come online August 22nd, it is believed the Emotet operator spent the last few weeks preparing the botnet for operations on the 16th.

It has been confirmed that Emotet’s payload was Trickbot, a banking/malware loader that was a secondary infection dropped by Emotet. The email disguised itself as a financial theme and appeared to come as a reply to a previous conversation. Once opened, the malicious document requires users to enable content, and enable macros in order to run the embedded code. This targeted almost 66,000 emails for more than 30,000 domains from over 385 unique top-level domains. These spam emails originated from 3,362 senders whose credentials had been stolen.

Be on the lookout for this type of spam email campaign, in addition to the email disguising as a reply to an existing thread, they also attempt to trick users into enabling macros via a fake warning that their Microsoft Word software won’t work beyond September 20th, a genuine Microsoft logo is added to the email body as well.

Make sure to check out our quarterly threat landscape report pulled from our thousands of customer networks.

Have you registered for our next event?