Emotet botnet returns after a five-month break

The current campaign targets users in the United States and the United Kingdom. You receive spam messages with a malicious Word file. This installs the Emotet Trojan.

Emotet, the most active botnet of 2019, has reported back. According to the security provider Proofpoint, the three server clusters, which are referred to as Epoch 1, Epoch 2 and Epoch 3, are active again. They are currently spreading spam emails in English and are trying to infect new users with the Emotet malware.

“Today’s campaign has primarily targeted recipients in the United States and the United Kingdom,” said Sherrod DeGrippo, Senior Director for Threat Research at Proofpoint. “The messages either contain a Word file attachment or a link to download the Word document, which contains malicious macros and, if activated by the user, downloads and installs Emotet.” So far, about 80,000 messages have been sent.

A group of security researchers called Cryptolaemus, who also looked at Emotet, confirmed the comeback of the botnet. Security providers like CSIS, Microsoft, Malwarebytes, Abuse.ch and Spamhaus are watching the new activities.

Before the temporary shutdown of Emotet in early February, Emotet was not only the most active botnet, but also the largest cybercrime operation. The backers use their email infrastructure to infect users with the Emotet Trojan. In addition, they infiltrate other malware, either to pursue their own interests or on behalf of third parties, to whom they rent access to infected hosts, for example. To date, clients have included several ransomware gangs and the trickbot operator.

Emotet recently distributed ransomware in countries such as the Netherlands and Germany. As a result, Emotet is classified as a similar risk there as ransomware. Affected companies and organizations that find a host infected with Emotet should isolate the system and disconnect their network from the Internet. According to security experts, this measure is necessary to prevent the ransomware from spreading further.

It is not the first time that Emotet has been revived. The botnet ceased operation from May to September 2019.

Webinar recording: How to protect your company data from ransomware

Attacks by cyber criminals not only damage the image of the attacked company, but in many cases also represent a financial burden. In the meantime, the annual damage sum has reached several billion euros. Learn how to immunize your business against ransomware attacks in this webinar.

Leave a Reply

Your email address will not be published. Required fields are marked *