PhishLabs has recently observed attacks targeting enterprises with Emotet payloads for the first time since January, when coordinated efforts by authorities to disrupt operations led this family of threat actors to halt activity.
Emotet’s primary function is providing malicious software initial access to compromised systems. It is one of the most widely distributed and well-connected malware families, often partnering with Trickbot, Ryuk, and Conti operators to deploy ransomware attacks.
In this post, we take a look at two new Emotet lures containing infected Excel attachments. These lures are being delivered via email phishing campaigns.
Example 1
In the first example, the threat actor impersonates the Accounts & Finance Department of a large North American construction company. In the body of the email, the actor indicates that the victim needs to open the attached file to access their account. The attachment is a malicious .xlsm file that, when opened, delivers Emotet malware onto the user’s system.
The recipient’s name was used as the subject line and the email originates from a compromised website.
Sender’s Address: [email protected]
Example 2
The second example lacks content in the body, containing only a signature impersonating the Accounts & Finance Department of a global law firm. A malicious .xlsm file is also used to drop Emotet onto the victim’s device. The original sender in this example also stems from a compromised website.
Sender’s Address: [email protected]
Emotet’s return may be attributed to many factors, one being that it was never really gone. While the January 2021 takedown of Emotet’s C2 servers did disrupt operations, the source code remained accessible for threat actor use and manipulation. As samples are detected, security researchers are reporting that the Emotet payload delivered in these phishing campaigns are, in fact, a new version of the original variant, this time containing a broader number of commands.
Many of the recent Emotet attacks are targeting systems previously known to be compromised by Trickbot malware. Additionally, despite government officials seizing hundreds of Emotet servers during takedown operations, recent attacks point to a completely new and more abundant list of command and control servers.
Emotet’s resurgence is a reminder that while malware may briefly disappear, it is rarely destroyed. The partnerships Emotet operators have forged and success the malware has seen as an initial access loader have made it one of the most resilient families to date, and we can likely expect to see continued campaigns.
PhishLabs will continue to report on Emotet as attacks are detected.
Additional Resources:
