The Dead Have Risen

On July 17, 2020 the Emotet botnet sprang back to life from a five-month hiatus—by far the longest break of the preceding few years.  We assess it is possible that COVID may have thrown a monkey wrench into their plans, but we cannot be sure of that.  While this is not a new threat by any means, it is certainly worth bringing to the attention of all cybersecurity professionals, as Emotet’s reach is broad. Our initial analysis indicates that though much of Emotet’s behavior today is similar to previous activity, there are some key differences that network defenders need to be aware of. Most notably, Emotet is now not only scraping email templates from victim inboxes, but is also able to steal email attachments, which they are in turn using in further phishing campaigns against targets that would find the attachments familiar and from known (compromised) contacts.

Some Background:

Emotet came on the scene in 2014 as a banking trojan. Since then, it has evolved into one of the threat landscape’s most damaging botnets.  Today, some of the primary functions of the trojan include:

  1. Information stealer
    1. When installed, Emotet will gather a victim’s email credentials from their outlook client and browsers.
    1. Emotet will gather and exfiltrate a victim’s contact list. Once the contact list is delivered to Emotet’s command and control (C2), it will be used as a target list for malspam.
    1. Emotet will steal some of the victim’s emails for use in reply-chain style phishing attacks. This allows for spearphish-level authenticity and variable content in the emails that is hard to match.  
  2. Malspam sender
    1. When Emotet’s bot client is running on the victim machine, it will likely receive instructions from its C2 that typically involve sending emails to further spread Emotet.  These instructions utilize the vast data store of stolen credentials, emails, and contacts for targeting. The emails vary from generic templates to automatically customized reply-chain emails that leverage previous messages content to lower potential victims defenses.
  3. Malware Dropper
    1. Emotet often delivers subsequent payloads to compromised endpoints, and has been observed dropping multiple different malware families including TrickBot and QakBot. These secondary drops have been known to lead to ransomware events.

The return of Emotet on a Friday was unexpected, given the length of its recent lull.  In its return, many facets of today’s Emotet campaigns are the same as historical phishing sprees, though some changes do stand out:

In June, the actors behind Emotet modified the stealer module that is dropped by the malware in preparation for this return.  The modifications allow for them to not only scrape the messages in a victim’s mailbox, but also to exfiltrate full attachments from those emails. We began to notice the use of such stolen attachments on July 28, 2020, at which point they began disseminating phishing emails with multiple attachments.  This change was likely to increase victim curiosity as well as lower their defenses, as it is very likely that they have seen these attachments in previous correspondence. The actual efficacy of this change will have to be tracked over time.

The webshells Emotet uses to deliver payloads on compromised sites were under attack by someone attempting to prevent infections. The actor responsible for this sabotage replaced the downloaded “payload” with a few different GIF images that seemed to mock the Emotet gang. As time has passed, we have seen Avira antivirus end up on these sites as well. The Emotet actors were quick to begin patching their shells, but appear to be in an ongoing battle with whomever is doing this.

We continue to monitor the botnet for any novel changes to tactics and will keep you apprised of these as they happen.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.