More than 160 days after the last observed Emotet delivery via email, Proofpoint researchers have confirmed its return. Known as a versatile and widely disruptive threat, early versions of Emotet had a module that was used to commit banking fraud, and for years, the malware was widely classified as a banking Trojan. However, later versions of Emotet no longer loaded its own banking module, and instead loaded third party banking malware. More recently, we have observed Emotet delivering third-party payloads such as Qbot, The Trick, IcedID, and Gootkit. Additionally, Emotet loads its modules for spamming, credential stealing, email harvesting, and spreading on local networks.
As of this publication, Proofpoint has observed nearly a quarter million Emotet messages sent on July 17, 2020, and the number continues to climb. The threat actor, TA542, appears to have targeted multiple verticals across the US and UK with English language lures. These messages contain malicious Microsoft Word attachments or URLs linking to Word documents (Figures 1-3). The URLs often point to compromised WordPress hosts.
Similar to lures observed previously, these are simple, with minimal customization. Subject lines like “RE:”, “Invoice #” followed by a fake invoice number are commonly seen, and often include the name of the organization being targeted.
Figure 1: Email lure with malicious Word doc attachment
Figure 2: Additional email lure with malicious Word doc attachment
Figure 3: Word document with malicious macros
When the macros are enabled, Emotet is downloaded and installed on the user’s host. Often, Emotet downloads and installs additional modules to steal credentials, harvest emails, and spread itself across local networks.
Emerging Threats Network Signatures
2029380 ET TROJAN Win32/Emotet CnC Activity (POST) M8
2842317 ETPRO TROJAN Win32/Emotet CnC Activity (POST) M9