Emotet Botnet Returns
I. Targeted Industries
- Financial & Educational Institutions
- Government Agencies
- Enterprise Businesses
- Small-Medium Businesses
The Emotet Botnet has resurfaced with a new spam campaign after being off the scene since February 7, 2020. Emotet is infamous for its close ties to ransomware gangs and its ability to gain a strong initial foothold to deploy other types of malware. Emotet’s recent activity has been seen mostly in the US and the UK.
On Friday, July 17, 2020, Emotet sent a blast of about 250,000 malicious spam messages, which strive to spread backdoors that install ransomware, bank-fraud trojans, and other malware. Organizations need to be aware of this return to maintain a superior security posture in light of recent Emotet events.
III. Background Information
Emotet has returned as a highly sophisticated cyberattack and begins by sending the victim an email from a familiar source with whom the victim has previously corresponded. Oftentimes, the email contains the same subject line and body of previous email threads. This information is acquired through the collection of contact lists and inboxes from previously infected computers.  This method is highly effective because the victim gives immediate credibility to the email received and enables it to bypass spam filters due to the previous thread of related emails. Emotet also steals and compromises usernames and passwords from outgoing email servers. The botnet will then rely on the stolen servers instead of its private servers, which allows Emotet’s servers to prevent becoming overwhelmed. This tactic also makes it difficult for security products to detect and block malicious messages. The messages sent from Emotet usually have harmful Microsoft Word documents, PDF files, or URLs that link to malicious Word files. The documents contain macros that install the Emotet backdoor when activated by the victim. The backdoor is utilized days later to install follow-up malware, such as the banking trojan TrickBot, Ryuk ransomware, or other malicious software. This attack can become very costly to one’s organization, as lots of private information and money are at risk if compromised by Emotet.
IV. MITRE ATT&CK
- T1509 – Command and Scripting Interpreter: PowerShell, Visual Basic, Windows Command Shell
Emotet has been observed to send Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads. It uses PowerShell to retrieve payloads and download additional resources. Scripts are executed through PowerShell via cmd.exe.
- 003 – Account Discovery: Email Account
Emotet has been found to utilize a module that allows it to scrape email addresses from Outlook.
- 001 – Brute Force: Password Guessing
Hardcoded password lists are used to conduct brute force attacks into user accounts.
- T1566 – Phishing: Spear Phishing Links, Spear Phishing Attachments
Emotet has been delivered via emails containing links and attachments.
- Malware Monitoring
Continuously monitor new and existing types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
- Strong Cyber Hygiene
Users need to be wary of the validity of emails, links, downloads, etc. All sources should be verified.
- Scheduled Backups & Patch Updates
Back up data regularly and store externally. Update and patch vulnerabilities consistently.
- Incorporate Known IOCs into IDS
Incorporate the known IOCs of the attack into your intrusion detection system (IDS) to catch any suspicious behavior related to the attack.
- Recommended Link: https://www.us-cert.gov/Ransomware
- Implement Multi-factor Authentication
Multi-factor authentication adds an extra layer of security when a user logs in and provides alerts when someone is trying to use their credentials.
VI. Indicators of Compromise (IOCs)
The link below has been included to assist with the download of some identified IOC’s related to this Threat Advisory Report. Be on the lookout for these IOC’s, as well as anything that looks similar.
(1) Cimpanu, Catalin. “Emotet Botnet Returns after a Five-Month Absence.” ZDNet. ZDNet, July 17, 2020. https://www.zdnet.com/article/emotet-botnet-returns-after-a-five-month-absence/.
(2) Goodin, Dan. “There’s a Reason Your Inbox Has More Malicious Spam-Emotet Is Back.” Ars Technica, July 18, 2020. https://arstechnica.com/information-technology/2020/07/destructive-emotet-botnet-returns-with-250k-strong-blast-of-toxic-email/.