We recently became aware of what appears to be the return of Emotet. The TrickBot malware family began delivering a dll that is suspiciously similar to the old Emotet payloads. While information is still being developed around this, the shared distribution between TrickBot and Emotet from past endeavors points to this likely being a legitimate return. As we’ve seen in the past, Emotet likes to do things in phases when it comes back and this appears to be the ‘staging’ phase of their operation. While we cannot say if or when we expect for them to begin sending malicious emails again, it would be a good bet that it could be within the next few weeks. This timing correlations with the holiday season and campaigns that we’ve witnessed in the past.
Emotet has leveraged different means of delivering their payloads via phishing emails. While the predominant method has been URLs and weaponized office documents, they have also been known to use other file types. While we cannot know if they will leverage anything new in the future, in the past they made heavy use of macro enabled word documents, and we can probably expect to see the same this time.
Stolen email threads were also a very effective method to entice victims to ‘click through’ emails, and Emotet leveraged these quite extensively in the past. They also were known to use current events to generate more generic templates for their phishing campaigns. This mixture of multiple templates and variety of payloads can make it difficult to easily identify their phishing emails.
If Emotet is truly coming back ‘online’, and it appears that it is, they will likely bring with them a bag of new tricks ready to throw at us. We will continue to monitor the situation and update you as information becomes available to help you defend against this.
Additional Reading: