One of the world’s most prolific botnets has returned and is once again attempting to deliver malware to victims via phishing attacks.
Emotet started life as a banking trojan before evolving into a botnet, which its criminal operators leased out to other hackers as a means of delivering their own malware to previously compromised machines.
Such was the power of the botnet that at one point last year it accounted for almost two-thirds of of malicious payloads delivered in phishing attacks.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
But after seemingly disappearing towards the end of 2019, Emotet has now returned with a giant email-spamming campaign, as detailed by researchers at cybersecurity company Proofpoint.
Known as TA542, the hacking operation behind Emotet resumed activity on Monday 13 January with a campaign that appeared to be predominantly targeting pharmaceutical companies in the US, Canada and Mexico.
One of the phishing lures consisted of a brief email claiming to contain a ‘SOC report’ for the date the message was sent, alongside an attached Word document. This document contains the malicious payload.
However, this appeared to be a mere test run for launching a much wider spam campaign, because the following day, the attacks had spread around the world. The Emotet phishing emails have been spotted targeting potential victims across North America, Europe, South East Asia and Australia.
The languages used in the phishing lures also expanded; they were only using English on the first day of the campaign, but by the second day had also started using Chinese, German, Italian, Japanese and Spanish. The campaign also expanded to go after targets in a variety of different industries.
“Emotet is one of the world’s most disruptive threats and organizations worldwide should take its return seriously. They have a massive sending infrastructure – nobody hits volumes like they do,” said Sherrod DeGrippo, senior director of threat research and detection at Proofpoint.
“TA542’s recent uptick in activity shows that threat actors work smarter not harder. They took 150 days off in 2019 and, even with breaks, they’re incredibly effective,” she added.
SEE: Frankfurt shuts down IT network following Emotet infection
It’s expected that Emotet will continue malicious activity throughout the course of the year, whether through campaigns to rope new Windows machines into its botnet network, or additional campaigns by hacking groups that have rented out the infrastructure for their own purposes.
To protect against falling victim to Emotet campaigns, researchers recommend that organisations take the necessary steps to ensure email is secure as possible and to train users to be wary of unexpected emails that encourage them to take urgent action, such as clicking on links or opening attachments.
“It’s important security teams continue to secure their email channel and educate users regarding the increased risks associated with email attachments.” said DeGrippo.
MORE ON CYBERSECURITY