After a two-month hiatus, the Emotet group has revved up its operations again, making one last push before the end of the year.
Security researchers began seeing a fresh spam run carrying Emotet-laced attachments this week, the first such campaign since October. The new campaign is using a variety of subject lines in the malicious emails, including Christmas-themed ones and others related to COVID-19. The Emotet group utilizes three discrete botnets to send out spam, known as Epoch 1, 2, and 3. In the new campaign, each botnet is focusing on different types of lures, according to telemetry from the Cryptolaemus group, a cadre of researchers who track Emotet.
“Emotet is back spamming you some XMas cards and Covid Reports again. Operation Zip Lock (Password Protected Zips) strong on E1. E2 was mostly links & E3 was attachments,” the group said in a tweet Monday.
The Emotet group is well-known for taking periodic breaks in its operations, sometimes for a few weeks, and other times for a few months at a time. It’s not exactly clear what the purpose of the shutdowns is, but researchers say it could be a chance for the operators to retool and update their infrastructure and malware. Often, when the malware operation restarts it comes back with new lures, tactics, and other features. Last year, Emotet came back in September from a short break with a new technique that involved stealing the contents of a victim’s email inbox and then using those messages to insert malicious messages into existing threads to add legitimacy. This tactic has been quite successful for the operators since its introduction.
Emotet on its own is highly dangerous, but the malware is often just the first stage of a much more complex and nasty attack chain that involves the Trickbot trojan and the Ryuk ransomware. Those three have been associated with one another for about two years, and many of the ugliest Ryuk incidents have started with an Emotet infection.
Researchers and law enforcement agencies have focused quite a lot of attention on the Emotet operators, with some notable successes. Earlier this year researchers at Binary Defense noticed a change in an update to Emotet that enabled them to develop a method to stop the malware from executing on newly infected machines. The method, known as EmoCrash, prevented the spread of Emotet for more than six months before the operators pushed another update that disabled it.
The most recent Emotet campaign is ramping up slowly but steadily. Researchers at Proofpoint have seen more than 100,000 Emotet-laden spam messages in several languages, and Abuse.ch, which tracks malware URLs and C2 activity, identified 300 new URLs on Monday.