More than 160 days after the last observed Emotet delivery via email, Proofpoint researchers have confirmed its return. Known as a versatile and widely disruptive threat, early versions of Emotet had a module that was used to commit banking fraud, and for years, the malware was widely classified as a banking Trojan. However, later versions of Emotet no longer loaded its own banking module, and instead loaded third party banking malware. More recently, we have observed Emotet delivering third-party payloads such as Qbot, The Trick, IcedID, and Gootkit. Additionally, Emotet loads its modules for spamming, credential stealing, email harvesting, and spreading on local networks.
As of this publication, Proofpoint has observed nearly a quarter million Emotet messages sent on July 17, 2020, and the number continues to climb. The threat actor, TA542, appears to have targeted multiple verticals across the US and UK with English language lures. These messages contain malicious Microsoft Word attachments or URLs linking to Word documents (Figures 1-3). The URLs often point to compromised WordPress hosts.
Similar to lures observed previously, these are simple, with minimal customization. Subject lines like “RE:”, “Invoice #” followed by a fake invoice number are commonly seen, and often include the name of the organization being targeted.
Canned comment from Sherrod DeGrippo, Senior Director, Threat Research and Detection at Proofpoint:
“Proofpoint researchers have confirmed the return of Emotet via email delivery. Emotet, a versatile and widely disruptive threat, was last observed via email on February 7th of this year. Today’s campaign so far has recipients primarily in the US and UK with the lure being sent in English. The emails contain either a Word attachment or URLs linking to the download of a Word document that contains malicious macros which, if enabled by the users, will download and install Emotet. The campaign is ongoing and had reached around 250,000 messages by late Friday. Threat actor group TA542, the group behind Emotet, is historically known for using widespread email campaigns on a huge, international scale that have affected North America, Central America, South America, Europe, Asia, and Australia. Their campaigns are largely centered around credential stealing and installing banking malware or other payloads. Emotet is a highly effective malware that is capable of downloading and installing a range of additional malware that often steal information, send malicious email, and spread across networks using infected devices to launch future attacks. Its infrastructure is test and metric-driven and is built to scale depending on what’s working. Given this, it is important that security teams continue to secure their email channel and educate users regarding the increased risks associated with potentially malicious email attachments to protect against this form of attack.”