Emotet’s massive botnet was dormant for several months, but on July 17th, 2020, it suddenly rumbled back to life. Now as we enter the festive season, we are again seeing a resurgence of this botnet.
Back in July, it started spewing out massive numbers of phishing emails aimed at installing Trickbot payloads on anyone unfortunate enough to open one of their poisoned emails. The emails are often described as invoices, manifests, and the like.
In recent days, security researchers have noted that Emotet has begun swapping Trickbot payloads out with QakBot payloads, which include the use of the ProLock ransomware strain. Whichever payload is deployed, however, security researchers have noticed something else. Emotet got another upgrade.
The upgrade takes the form of an email attachment stealer. Once installed on a target system, it will scan that target’s inbox and sent folders looking for email attachments. The malware isn’t picky, and will take anything, copying whatever files it finds and sending them to the command and control server so it can recycle and reuse the attachments on future phishing emails.
This may not sound like it, but is actually a devastatingly effective strategy. By using live files, the phishing emails gain a further air of authenticity. The data those files contain looks legitimate because it is legitimate in that the file was generated by someone working for a corporation and sent around to others for review.
Worse, Emotet doesn’t show any signs of slowing down. This week, based on statistics compiled by the interactive malware analysis platform AnyRun, Emotet was ranked as the malware threat of the week. It was measured by uploads, with nearly ten times the total uploads as njRAT, which claimed the #2 spot.
Given the size of the Emotet botnet, this is definitely a threat to be mindful of. Make sure your IT staff is aware of the large scale, ongoing phishing campaign by the botnet and be sure to remind all of your employees not to open any email attachments unless they’re absolutely certain where they’re coming from.
If you are unsure, seek advise.
Virtual IT Managed Services Clients can simply attach the email and send it through the client portal for analysis.
If you are not a client of ours, we would be happy to offer some assistance. Simply call us on 1300 551 486 for a no obligation discussion of your issue.
Or you could visit a security community site called VirusTotal – on this site you can get a FREE appraisal of the file, URL or email from the security community.
Don’t even think about calling a computer consultant before you read this!
