Emotet, the world's most expensive and destructive botnet, returned after a five-month hiatus on Friday with an explosion of malicious spam aimed at spreading a back door that installs ransomware, bank fraud Trojans, and other malicious malware.
The botnet sent a whopping 250,000 messages during the day, mainly to people in the United States and the United Kingdom, Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, told Ars. Other researchers said the targets were also in the Middle East , in South America and in Africa. The botnet followed its characteristic pattern of either sending a malicious document or creating a link to a malicious file that installs the Emotet back door when activated.
Enlarge /. A map showing where Emotet scored on Friday.
The botnet gave its first indications of a return on Tuesday, with small amounts of messages being sent. Email samples that abused threat monitors on Twitter accounts. Abuse.ch and Spamhaus looked like this:
The resurgence of Emotet on Friday was also discovered by the anti-virus provider Malwarebytes and Microsoft.
Box of tricks
Emotet has proven to be one of the most imaginative threats to humans in recent years. Emails often seem to come from someone with whom the goal has corresponded in the past. The malicious messages often use the subject lines and body of previous email threads that the two participated in. Emotet obtains this information by collecting the contact lists and inboxes of infected computers.
Technology has a double advantage. It makes the goal of believing that the message is trustworthy because it comes from a known friend, acquaintance, or business partner who is following up on a previously discussed issue. The inclusion of authentic content also makes it difficult for spam filters to recognize the emails as malicious.
Another clever trick from Emotet: it steals usernames and passwords for outgoing email servers. The botnet then uses the credentials to send email from these servers instead of relying on its own infrastructure. Because the trusted servers send the malicious messages, security products find it more difficult to detect and block them.
Hit and run
DeGrippo said that the last time Emotet showed up was during a five-day run in early February that delivered approximately 1.8 million messages. The botnet is known to make large explosions for a short time and then to fall silent for weeks or months. Last September it woke up from a four-month sleep.
The group is known for taking long breaks and regularly taking time off on weekends and important vacation times. True to its normal pattern, the last Emotet activity had completely stopped on Saturday morning when this post went online. The schedule not only enables its employees to have a healthy work-life balance, but also makes campaigns more successful.
"The key for most threat actors is to minimize the time between inbox [malicious email] in the inbox and opening by the target." DeGrippo explained. "The longer this time passes, the greater the risk for the threat actor that its payload will not be delivered due to mitigating controls."
Emotet messages contain malicious Microsoft Word documents or PDF files or URLs that point to malicious Word files. The Word documents contain macros that, when activated, install the Emotet back door. The back door usually waits a few days before subsequent malware such as the banking trojan TrickBot or the Ryuk ransomware is installed.
Researchers have published compromise indicators for Friday's news program here, here and here.
Emotet is another reminder that people should be very suspicious of files and links sent via email, especially if they are unrelated, e.g. B. when a friend sends an invoice. People should be doubly suspicious of Word documents, for which macros must be activated before content can be displayed. There is rarely a reason for consumers to use macros, so it's a good budgetary rule never to activate them for any reason. A better guideline is to open Word documents in Google Docs to prevent malware from being installed on the local computer.