The new Emotet trojan detected in September appeared with two other notorious malware dubbed Trickbot and Ryuk.
It also included additional features to steal the contents from victims’ inboxes and credentials for sending outbound emails.
Following a four-month vacation, Emotet’s operators were back in mid-September in several cyber espionage campaigns. In most of the cases, the operators were seen using spear-phishing attack techniques to target organizations.
Although its only been a short time span since Emotet resurged from its dormant state, researchers at Nuspire have found that the malicious activities related to the trojan have increased by 730% in September alone.
Emotet returns with additional features
- The important aspect of the new Emotet trojan detected in September was it appeared with two other notorious malware dubbed Trickbot and Ryuk. These three malware, as a whole, were used to cause the most damage to a network.
- It also included additional features to steal the contents from victims’ inboxes and credentials for sending outbound emails. These stolen credentials were later used to transmit Emotet attack messages.
An overview of Emotet attacks from September
- The first instance of the trojan’s activity was noticed in August 2019 after researchers found command and control servers for the Emotet were being revived by operators.
- In Mid-September, the trojan recorded its first attack campaign that sent emails with financial themes. The campaign was primarily targeted against organizations in Poland and Germany.
- Another new spam campaign that incorporated fake news about NSA whistleblower Edward Snowden’s new book ‘Permanent Record’ as a lure, was reported within a week after the first attack.
- In October, the Emotet botnet was found using a new malicious attachment that is disguised as a Microsoft Office Activation Wizard. The attachment was sent via phishing emails that appear to be fake invoices, order confirmations, payment confirmations, and shipping issues.
- With the start of the holiday season, the operators leveraged fake Halloween invitation emails to spread the malware. The email pushed out new templates that asked recipients to attend a neighborhood party.
Researchers indicate that this significant increase in Emotet activity can pose a serious threat in the future.
“When we saw Emotet decline to a near dormant state in the second quarter, we knew it was only a matter of time until it would resurface with stronger and better tactics. This significant increase in Emotet activity is one of the most dangerous malware botnets affecting the world today, said Matt Corney, Nuspire CTO, Help Net Security reported.