Flash Notice - Emotet Botnet is Back with New Spam Campaigns

November 19, 2021

Overview of emotet

Last seen in January 2021, after law enforcement took them down, Emotet is back and is using TrickBot to install Emotet malware on infected Windows systems. TrickBot is a malware botnet that is often used by cyber criminals to load secondary malware payloads and commonly seen in ransomware incidents .

After 10 months of darkness, Emotet was recently seen by cyber security researcher, Brad Duncan, spamming multiple email campaigns to infect devices with the malware. The campaigns use reply-chain emails to persuade victims into opening malicious attachments disguised as Word/Excel documents or password-protected ZIP files. Reply-chain email attacks are another form of social engineering where the attacker sends a malicious email from a genuine, but stolen email account. Some of the reply-chain emails Duncan discovered included a missing wallet, a canceled meeting, and even political donations.

Currently, there are two malicious documents being distributed. The first document is an Excel attachment asking the victim to click on “Enable Content” to view the contents. The other is a Word attachment that says the document is in “Protected” mode and users must enable content and editing to view it. However, after the victim opens the attachments and click, they enable malicious macros that launch a PowerShell command that then downloads the Emotet loader DLL from a compromised WordPress site.

After being downloaded, Emotet configures a startup value under the following:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

This is done so the malware can launch when Windows starts. Emotet will then run silently in the background, waiting for commands to execute to from its C2. The commands could be used steal email account information, spread the malware to other computers, or to install additional payloads like TrickBot. Emotet was once considered the largest botnet cyber security had ever seen, let’s not give it a reason to regain its title. Keep your organization from becoming another victim by staying educated on cyber security best practices.

How Avertium is Protecting Our Clients

Increasing visibility within your environment is crucial when trying to prevent or mitigate a potential attack from botnets like Emotet. Avertium offers EDR protection through SentinelOne, Sophos, and Microsoft Defender.
- SentinelOne prevents threats and extends protection from the endpoint to beyond. Find threats and eliminate blind spots with autonomous, real time, index-free threat ingestion and analysis that supports structured, unstructured, and semi-structured data.
- Our Partners, Microsoft and Sophos, also offer endpoint protection. Sophos can help secure your environment by protecting and prioritizing potential threats. Microsoft Defender provides real-time threat detection, as well as firewall and network protection. The program comes standard with Windows.
Avertium also offers user awareness training and phishing simulation campaigns using KnowBe4..

Avertium's recommendations

Block communication to C2s to prevent Emotet from dropping payloads on compromised devices.
Abuse.ch, a malware monitoring organization, has a list of 245 IP addresses to block. Please look at this list and use them accordingly.
Apply security patches to your devices when they are released.
Provide awareness training for employees regarding the dangers of phishing emails.