July 28, 2020 By David Bisson 3 min read

A malspam campaign involving Emotet saw a resurgence after five months of laying low, Malwarebytes detected on Friday, July 17. This operation used the well-known method of sending attack emails as a reply within an existing email thread. From there, the emails invited the recipient to open an attachment. Named “Form – Jul 17, 2020.doc,” the attachment opened a Microsoft Word document that informed the user of the need to enable content.

If they agreed to do so, the user inadvertently enabled a heavily-obfuscated macro embedded within the document. That macro then proceeded to call Windows Management Instrumentation (WMI), which in turn launched PowerShell. As its final phase, the campaign used PowerShell to iterate through a list of compromised remote websites. Once it identified one that was responding, the operation pulled down an Emotet payload and installed it on the victim’s machine. Then, the malware sent confirmation back to one of its command-and-control (C&C) servers.

Restoring the “Real Damage” of an Emotet Attack

Malwarebytes notes the real damage from an Emotet infection comes from the threat group’s alliances with other malware actors. In particular, it opens machines up to actors responsible for families that are capable of dropping ransomware onto an infected computer. The actors responsible for coordinating Emotet’s attacks are aware of this point.

Just three days after Malwarebytes spotted this malspam campaign, a security researcher told Bleeping Computer that they had spotted Emotet distributing TrickBot, a trojan which has a history of distributing ransomware such as Conti and Ryuk. Just a day later, Bleeping Computer learned the Emotet gang had begun distributing QakBot across all three branches of the botnet’s infrastructure. QakBot is another preferred partner of Emotet that has in some instances loaded ProLock ransomware onto infected machines.

Emotet: Threat Activity Before Its Five-Month Pause

The threat activity described above marks the return of Emotet after nearly a five-month pause. It did not enter into that break with a whimper, however. 

Threat actors used Emotet in multiple attack campaigns before its hiatus. At the beginning of February 2020, IBM X-Force discovered an operation in which attackers had employed coronavirus 2019 as a lure in malspam emails to deliver Emotet via weaponized Word documents. Two weeks later, IBM researchers disclosed a SMiShing campaign in which attackers impersonating well-known banks sent text messages from what appeared to be local U.S. numbers. They used that cover to trick recipients into clicking on a link that redirected them to domains hosting Emotet.

These two attack campaigns, not to mention the use of brute-forcing attacks on local WiFi networks, played a large part in Check Point Research’s decision to name Emotet as the second most-popular malware in February 2020. It came behind Mirai, a threat which at the time was targeting internet of things (IoT) devices with a new vulnerability. It did so as a means of building its botnet and conducting distributed denial-of-service (DDoS) attacks.

How to Defend Against Emotet

Security professionals can help their organizations defend against an Emotet infection first and foremost by investing in a security awareness training program. As part of this education initiative, infosec personnel should regularly test their employees with phishing simulations. Emotet has a history of using email attacks to enter organizations. Therefore, by educating their employees about such campaigns, security professionals will be able to reduce the likelihood of an attack email entering into the organization.

Next, they need to realize that some attack emails will get through employees’ defenses. Therefore, they need to set up some technical controls designed to monitor the network for signs of malicious macros, a common delivery vector for Emotet. They can do this by implementing proper logging, reviewing logs for suspicious activity and performing endpoint scans.

Last but not least, infosec personnel need to stay on top of the latest attack campaigns, partnerships and tactics employed by malware actors such as those responsible for Emotet. The best way they can do this is by using threat intelligence services to prepare themselves against these new developments.

More from

New memo reveals Biden’s cybersecurity priorities through fiscal year 2026

2 min read - On July 10, 2024, the White House released a new memo regarding the Biden administration’s cybersecurity investment priorities, initially proposed in July 2022. This new memorandum now marks the third time the Office of the National Cyber Director (ONCD), headed by Harry Coker, has released updated priorities and outlined procedures regarding the five core pillars of the National Cybersecurity Strategy Implementation Plan (NCSIP), now relevant through fiscal year 2026. Key highlights from the FY26 memorandum In the latest annual version…

How prepared are you for your first Gen AI disruption?

5 min read - Generative artificial intelligence (Gen AI) and its use by businesses to enhance operations and profits are the focus of innovation in virtually every sector and industry. Gartner predicts that global spending on AI software will surge from $124 billion in 2022 to $297 billion by 2027. Businesses are upskilling their teams and hiring costly experts to implement new use cases, new ways to leverage data and new ways to use open-source tooling and resources. What they have failed to look…

Cybersecurity crisis communication: What to do

4 min read - Cybersecurity experts tell organizations that the question is not if they will become the target of a cyberattack but when. Often, the focus of response preparedness is on the technical aspects — how to stop the breach from continuing, recovering data and getting the business back online. While these tasks are critical, many organizations overlook a key part of response preparedness: crisis communication. Because a brand’s reputation often takes a significant hit, a cyberattack can significantly affect the company’s future…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today