A week after adding a new module that is capable of filtering out e-mail content and after a period of low activity, malicious actors behind Emotet released a new, large-scale spam campaign.
What is Emotet?
Emotet is a family of bankers of Trojan horses known for their modulation architecture, a technique of perseverance and self-popularity that resembles worms. It is distributed through spam campaigns using various disguises to legitimize its harmful attachments. Trojan horse is often used as a downloader or as a dropper for potentially more damaging secondary payload. Due to the high destructive potential, Emotet was the subject of a communication DEVIL United States in July 2018.
According to our telemetry, Emotet's latest operation was launched on November 5, 2018 after a period of low activity. Figure 1 shows the peak in the Emotet detection rate at the beginning of November 2018, as we have seen in our telemetry data.
An analysis of these country surveys, as shown in Figure 2, shows that this latest Emotet campaign is more active in America, the United Kingdom, Turkey and South Africa.
In a campaign in November 2018, Emotet used malicious attachments in Word and PDF that were presented as invoices, payment notifications, bank account alerts, etc., and which simulated legitimate organizations. Alternatively, these emails contained malicious links instead of attachments. Issues used in campaign email messages indicate that the target audience targets are users from English and German speaking countries. Figure 3 shows Emote's activity in November 2018 for document detection. Figures 4, 5 and 6 are examples of emails and attachments for this campaign.
In this campaign, in November 2018, a dynamic engagement begins when the victim opens malicious text or PDF that is attached to a spam e-mail that appears to be from a legitimate and well-known organization.
According to the instructions in the document, the victim allows the macros in Word or clicks the link in the PDF. Subsequently, Emotet's payload is installed and run, confirms the persistence of the computer, and reports that the commitment has been successfully executed on your C & C server. Immediately afterwards, you will receive instructions on how to download the attack modules and the secondary payload.
Modules extend the initial payload features with the following features: credential theft, network promotion, sensitive information gathering, port redirection, among others. In the case of secondary payloads, this campaign led to Emotet launching trickBot and IcedId on compromised computers.
This recent peak in Emotet's activity simply shows that this Trojan family continues to be an active threat – and that it creates growing concern about the recent update of its modules, ESET detects and blocks all Emotet components under the detection names detailed in the IoC section.