Emotet’s massive botnet was dormant for several months, but on July 17th, 2020, it suddenly rumbled back to life.
It started spewing out massive numbers of phishing emails aimed at installing Trickbot payloads on anyone unfortunate enough to open one of their poisoned emails. The emails are often described as invoices, manifests, and the like.
In recent days, security researchers have noted that Emotet has begun swapping Trickbot payloads out with QakBot payloads, which include the use of the ProLock ransomware strain. Whichever payload is deployed, however, security researchers have noticed something else. Emotet got another upgrade.
The upgrade takes the form of an email attachment stealer. Once installed on a target system, it will scan that target’s inbox and sent folders looking for email attachments. The malware isn’t picky, and will take anything, copying whatever files it finds and sending them to the command and control server so it can recycle and reuse the attachments on future phishing emails.
This may not sound like it, but is actually a devastatingly effective strategy. By using live files, the phishing emails gain a further air of authenticity. The data those files contain looks legitimate because it is legitimate in that the file was generated by someone working for a corporation and sent around to others for review.
Worse, Emotet doesn’t show any signs of slowing down. This week, based on statistics compiled by the interactive malware analysis platform AnyRun, Emotet was ranked as the malware threat of the week. It was measured by uploads, with nearly ten times the total uploads as njRAT, which claimed the #2 spot.
Given the size of the Emotet botnet, this is definitely a threat to be mindful of. Make sure your IT staff is aware of the large scale, ongoing phishing campaign by the botnet and be sure to remind all of your employees not to open any email attachments unless they’re absolutely certain where they’re coming from.