Emotet Returns After Five Month Hiatus

More than 160 days after the last observed Emotet delivery via email, Proofpoint researchers have confirmed its return. Known as a versatile and widely disruptive threat, early versions of Emotet had a module that was used to commit banking fraud, and for years, the malware was widely classified as a banking Trojan. However, later versions of Emotet no longer loaded its own banking module, and instead loaded third party banking malware. More recently, we have observed Emotet delivering third-party payloads such as Qbot, The Trick, IcedID, and Gootkit. Additionally, Emotet loads its modules for spamming, credential stealing, email harvesting, and spreading on local networks.

As of this publication, Proofpoint has observed nearly a quarter million Emotet messages sent on July 17, 2020, and the number continues to climb. The threat actor, TA542, appears to have targeted multiple verticals across the US and UK with English language lures. These messages contain malicious Microsoft Word attachments or URLs linking to Word documents (Figures 1-3). The URLs often point to compromised WordPress hosts.

Similar to lures observed previously, these are simple, with minimal customization. Subject lines like “RE:”, “Invoice #” followed by a fake invoice number are commonly seen, and often include the name of the organization being targeted.

one

Figure 1: Email lure with malicious Word doc attachment

Two

Figure 2: Additional email lure with malicious Word doc attachment

Three

Figure 3: Word document with malicious macros

When the macros are enabled, Emotet is downloaded and installed on the user’s host. Often, Emotet downloads and installs additional modules to steal credentials, harvest emails, and spread itself across local networks.

Sample IOCs

Emotet C2s

5.196.74.210:8080

209.141.54.221:8080

50.116.86.205:8080

78.24.219.147:8080

210.165.156.91:80

37.187.72.193:8080

157.245.99.39:8080

190.55.181.54:443

37.139.21.175:8080

169.239.182.217:8080

104.236.246.93:8080

200.55.243.138:8080

74.208.45.104:8080

5.39.91.110:7080

79.7.158.208:80

SHA256 Hashes

64b341748b4d7b79976592e9eb4f04444436073d12384d8b98834931e9bc84cf

b7056c2e7ac89807060c5de0d28090f2dc827182433c186bbf8a28355a375627

Emerging Threats Network Signatures

2029380 ET TROJAN Win32/Emotet CnC Activity (POST) M8
2842317 ETPRO TROJAN Win32/Emotet CnC Activity (POST) M9