Emotet Returns with Massive Volumes, New Languages, and QBot

On July 17, 2020, Proofpoint researchers posted about the return of threat actor TA542 and the Emotet malware. Before TA542’s return July 17, 2020, they were last seen February 7, 2020. This 161-day hiatus was the longest known break for this threat actor group. TA542 email campaigns are the most prevalent by message volume by a large margin, with only a few other actors coming close.

Since July 17, 2020, Proofpoint researchers have closely tracked the latest series of Emotet campaigns by TA542. During the past 40 days or so of Emotet campaigns, we have seen consistency with past campaigns as well as some notable changes. Consistent with past campaigns, we’ve seen large volumes of malicious email. Key changes TA542 have made include expanded targeting of countries using native language lures and a switch to a new Qbot affiliate.

Since July 17, 2020, we’ve seen over 7 million messages over a 40 day timespan while we saw over 6 million messages over 20 days in the January/February 2020 campaigns. The summer campaigns have an average volume of just over 180,000 messages per day compared with over 300,000 per day for the January/February 2020 campaigns. For all of 2020 so far, we’ve seen over 13 million messages linked to Emotet.

Another area of consistency with previous Emotet campaigns is how malicious email messages are sent to a wide variety of industries and organizations around the world.

One key change in these campaigns is TA542 has expanded the geographic distribution of their malicious email messages and the languages used in lures.

Past countries targeted by TA542 that are targeted in these campaigns include:

  • Australia
  • Austria
  • Canada
  • Germany
  • Japan
  • Latin American countries
  • New Zealand
  • Switzerland
  • United Arab Emirates
  • United Kingdom
  • United States

Past languages used by TA542 that are used in these campaigns include:

  • English
  • French
  • German
  • Japanese
  • Portuguese
  • Spanish

In these latest campaigns, TA542 has expanded their targeting to also include:

  • Finland
  • India
  • Indonesia
  • Norway
  • Sweden
  • The Netherlands
  • The Philippines
  • Vietnam

New languages added by TA542 in these campaigns include:

  • Hindi
  • Indonesian
  • Philippine Languages
  • Swedish
  • Norwegian
  • Finnish
  • Dutch
  • Vietnamese

This summer TA542 has changed the malware that Emotet is configured to install to Qbot, a banking malware and a backdoor. Qbot connects to a remote server, allowing an attacker to access the infected system. Qbot can steal information including banking and financial information as well as logging keystrokes, enabling it to steal usernames and passwords.

In their summer campaigns, TA542 continues to use a tactic we’ve seen in past Emotet campaigns of “thread hijacking,” the practice of inserting malicious emails into existing, ongoing email threads to make the malicious emails seem more legitimate. These campaigns also utilize COVID-19 themes in some of their lures. Further, while TA542’s hiatus began before the COVID-19 pandemic became widespread, TA542 was a very early adopter of COVID-19 themed lures, using them in January 2020.

This latest series of campaigns shows a mixture of careful, methodical expansion of tactics and techniques that have been successful in the past. TA542 combines their capacity for massive malicious email campaigns with an expanded capacity for geographic distribution and localization of lures into even more native languages. Based on past experience we can expect TA542 to continue their pattern of massive campaigns punctuated by breaks followed in turn by a return to activity that includes some moderate changes that expand their reach and effectiveness.

Subscribe to the Proofpoint Blog