Emotet, the world’s most expensive and destructive botnet, returned from a five-month hiatus on Friday with an explosion of malicious spam aimed at spreading a backdoor that installs ransomware, bank fraud Trojans and other nasty malware.
The botnet sent some 250,000 messages during the day, primarily to people in the United States and the United Kingdom, senior threat research and detection director at security firm Proofpoint told Ars Sherrod DeGrippo. Other researchers said the targets were also located in the Middle East, South America and Africa. The botnet followed its characteristic pattern of sending a malicious document or a link to a malicious file that, when activated, installs the Emotet backdoor.
The botnet gave its first hints of a return on Tuesday, and small volumes of messages were sent. The email samples that appeared on the Twitter accounts of the abuse.ch and Spamhaus threat monitors looked like this:
Emotet’s resurgence on Friday was also discovered by antivirus vendor Malwarebytes and Microsoft.
Cheat box
Emotet has proven to be one of the most ingenious threats to confront people in recent years. Emails often seem to come from a person with whom the target has corresponded in the past. Malicious messages often use the subject lines and bodies of previous email threads in which the two have participated. Emotet obtains this information by collecting contact lists and inboxes from infected computers.
The technique has a double benefit. You trick the target into thinking the message can be trusted because it comes from a friend, acquaintance, or known business partner who is following a previously discussed issue. The inclusion of authentic content also makes it difficult for spam filters to detect emails as malicious.
Another one of Emotet’s clever tricks: steal username and password for outgoing email servers. The botnet then uses the credentials to send mail from those servers instead of relying on its own infrastructure. Because trusted servers send malicious messages, it is more difficult to detect and block security products.
Paste and run
DeGrippo said the last time Emotet had shown up was during a five-day race in early February that delivered about 1.8 million messages. The botnet is known for making big bangs for short periods of time and then staying silent for weeks or months at a time. Last September, he woke up from a four-month sleep.
The group is known for taking long breaks and taking regular breaks during weekends and major holiday seasons. True to its normal pattern, Emotet’s last activity had come to a complete halt on Saturday morning when this post was published. In addition to allowing your workers to maintain a healthy balance between work and personal life, the schedule makes campaigns more successful.
“The key for most threat actors is to minimize the time between [malicious mail] it hits the inbox and when the target opens it, ”DeGrippo explained. “The more time elapses, the greater the risk to the actor of the threat that their payload will not be delivered due to mitigating controls.”
Emotet messages include malicious Microsoft Word documents or PDF or URL files that link to malicious Word files. Word documents contain macros that, when activated, install the Emotet backdoor. The backdoor generally waits a period of days before installing tracking malware, such as the TrickBot banking Trojan or Ryuk ransomware.
Investigators have posted indicators of engagement from Friday’s message explosion here, here and here.
Emotet is another reminder that people should be very suspicious of files and links sent via email, especially if they appear to be out of context, such as when a friend sends an invoice. People must be doubly suspicious of any Word document that requires macros to be enabled before content can be viewed. There is rarely any reason for consumers to use macros, so a good household rule is to never enable macros for any reason. An even better policy is to open Word documents in Google Docs, which prevents any malware from installing on the local computer.
