Emotet Strikes Back

The past few days has seen the resurgence of Emotet, a dangerous email threat vector that aims to steal sensitive and financial information.

ZIX, the cybersecurity company that specialises in email security has uncovered a worrying trend that could lead to users falling victim to cybercriminals seeking to exploit the uncertainty of these precarious times by stealing money from unwitting and undersecured users. This instance of financial-stealing malware is appearing again after five months under the radar, catching many enterprises and individuals off guard.

Emotet is a modular banking Trojan that relies on heavy obfuscation and evasion techniques while committing financial theft. The Trojan spreads itself throughout the network by making use of its worm spreader module and brute forcing attacks within the network.

The primary method Emotet uses to reach its target is malspam – emails containing malicious attachments or links. These emails often use familiar branding, previously scraped conversations or commonly spoofing someone in the same company. These types of scams are often difficult to discern because of their sophisticated nature. This means that users must be all the more vigilant when opening documents that may contain a malicious payload, and only if they have been properly vetted. Unfortunately, the sophisticated nature of the Emotet scams means that some email security parameters are not well enough equipped to protect users, and they often reach their target unnoticed.

ZIX has observed small volumes of Emotet malspam earlier in the week commencing the 13th of July, 2020. The email security experts have suggested that this was potentially the cybercriminal syndicate testing their operation. However, after only a few days, Chris Lee, cybersecurity analyst at ZIX revealed that the criminal activity had increased. “Emotet’s three unique botnets ramped up their operations. They’re known for distributing extremely large amounts of malspam utilizing these botnets.”

Most of Emotet’s malspam campaigns had gone dormant since early February. However, Lee revealed that the latest updates include a WiFi spreader module, which can wreak havoc on unsecured networks that are increasingly being utilised by a mobilised workforce.

Emotet Sample:


One of the many variants that ZIX has recently observed hides the payload URL in the HTML of the message. The emails containing these malicious payloads will urge users to open the link, often by evoking a sense of urgency. Once clicked, the link prompts the download of a malicious rich text format (.rtf) file.

“You can see that they’re spoofing sbcglobal.net in an attempt to appear legitimate.” Lee revealed, going on to state that “this domain is very commonly spoofed and one that bad actors have had success with in the past”. As past endeavours spoofing this domain have proved to be fruitful, it is no surprise that the cybercriminals conspiring behind the Emotet scheme have continued to leverage the same domain.

In this example, kindly shared by the research team at ZIX, the Emotet syndicate seems to be spoofing the City of Liberty, Texas. The link points to a .doc file download.


Another variant of this ongoing campaign with a directly attached malicious .doc file

In the example above, cybercriminals are spoofing an excavating business, proving that they have no restraints, and nobody is off limits from the crosshairs of cybercriminals. Furthermore, phishing emails like this often use time sensitive language, or documents that make users feel obliged to open them to prevent missing out on valuable information.

All of the samples ZIX has investigated so far are using the same template. Lee warned that these threat actors are claiming the file was created on an iOS device and you must “Enable Edition” or “Enable Content” to view the supposed content of the file. If you select “Enable Editing” or “Enable Content”, the macros will run and execute the infection process, targeting your financial information

Mitigation Tactics

Chris Lee, and the email security experts at ZIX have shared some advice on how enterprises and individual users can best mitigate and limit the threat of Emotet and other nefarious email-centric scams.

  1. The best thing you can do is to disable macros for your company, the easiest way to accomplish this is through Group Policy (a feature of Microsoft Windows Active Directory that adds additional controls to user and computer accounts). Reach out to your IT/Helpdesk team to see if this is an option or has already been done.
  2. User education has never been more important, malicious actors are constantly innovating and pivoting, users need to be on their game and know what to look for and what not to click on. Establish an easy process in your company where users can submit anything suspicious to your IT/Helpdesk team for review.
  3. Defense in depth is something that your company should constantly strive for, securing security partnerships with tried and tested security providers. This is especially true when considering email security, as all too often this is a secondary function of third-party security providers, when in reality it should be prioritised as the critical risk vector that it is.