It was never a question of “if” but “when”. After five months of absence, the dreaded Emotet has returned. Following several false alarms over the last few weeks, a spam campaign was first spotted on July 13 showing signs of a likely comeback.
The Emotet botnets started pushing malspam actively on Friday, July 17, using the same techniques as it employed previously. Malicious emails contain either a URL or an attachment. One familiar technique is for the document to be sent as a reply within existing email threads.
The document contains a heavily obfuscated macro:
Once the macro is enabled, WMI launches PowerShell to retrieve the Emotet binary from one of the remote compromised websites. It will iterate through a list until it identifies one that is responding.
Once the payload is executed, it will send a confirmation back to one of Emotet’s command and control server.
Emotet has returned to its old tricks
Emotet was by far the most visible and active threat on our radars in 2018 and 2019—right up until it went into an extended break.
Emotet is used by cybercriminals as the initial entry point, followed by a dwell time that can last days or weeks. In the meantime, other threats such as TrickBot can be delivered as a secondary payload.
The real damage that an Emotet compromise causes happens when it forms alliances with other malware gangs and in particular threat actors interested in dropping ransomware.
Malwarebytes users were already protected against Emotet thanks to our signature-less anti-exploit technology.
We also detect the Emotet binary as a standalone file:
Indicators of Compromise