Less than a month after reactivating its command and control (C2) servers, the Emotet botnet has come to like by spewing spam messages to countries around the globe.

Malicious emails with Emotet's signature have been spotted Monday morning targeting Germany, the United Kingdom, Poland, and Italy. The spam campaign also hit the USA, targeting both individuals, business, and government entities.

Emotet campaign by the numbers

Researchers noticed at the beginning of June that the C2 servers of Emotet had fallen silent and were no longer sending instructions to infected machines. The inactivity lasted until August 22, when the infrastructure starteded to wake up again and servers started to respond to requests.

Since then, it looks like the operators did the necessary preparations to restart the botnet activity by cleaning it of fake bots, putting together new campaigns, and establishing the distribution channels (compromised websites, hacking sites, setting up web shells) because Emotet came to life today and started spewing spam again.

In this campaign, some of the websites compromised to distribute Emotet's payload are:

  • customernoble.com - a cleaning company
  • taxolabs.com
  • www.mutlukadinlarakademisi.com - Turkish women's blog
  • www.holyurbanhotel.com
  • keikomimura.com
  • charosjewellery.co.uk
  • think1.com
  • broadpeakdefense.com
  • lecairtravels.com
  • www.biyunhui.com
  • nautcoins.com

Emotet started strong, with security researchers from email security corp Cofense Labs telling BleepingComputer that Emotet is now targeting almost 66,000 unique emails for more than 30,000 domain names from 385 unique top-level domains (TLDs).

As for the origin of the malicious emails, Cofense told us that they came from 3,362 different senders, whose credentials had been stolen. The count for the total number of unique domains reached 1,875, covering a little over 400 TLDs.

Cofense further states that while some campaigns may use a sender list from a predefined targeting category, for the most part there are no defined targets as is common for campaigns this large. 

"From home users all the way up to government owned domains. The sender list includes the same dispersion as the targets. Many times we’ve seen precise targeting using a sender who’s contact list appears to have been scraped and used as the target list for that sender. This would include b2b as well as gov to gov." - Cofense

At the beginning there was no definitive answer on the payload, only unconfirmed reports that some U.S.-based hosts received Trickbot, a banking trojan turned malware dropper, as a secondary infection dropped by Emotet.

This has been later confirmed by security researchers James_inthe_box and Brad Duncan, who analyzed the infection traffic.

For users infected with Trickbot and who do not detect the infection, there is a good chance they may become infected with the Ryuk ransomware at a later date.

Emotet's tricking emails

From current observations and spam emails shared with by Cofense and JamesWT, Emotet's campaign today relies mostly on emails having a financial theme and appearing to come as a reply to a seemingly previous conversation. This was noticed with the following message in English:

Polish and Italian users received a similar message, urging them to take a look at a bill that caused some problems:

In a message likely to a German recipient, the sender claimed there were issues with some documentation and asked the recipient to take a look:

All the messages above look like replies to a previous conversation, or a reply-chain message which could make the potential victims more prone to check the problem.

Nevertheless, non-reply chain message are part of the campaign as well. One of them shared with us by Cofense was seen delivered to a government organization in the U.S. as a request to check a document. It appears that the details have been kept vague on purpose by the cybercriminals, most likely to entice the victim to open the attached document.

It is unclear if the reply chain method is used only for the government or the business sector, but another example of non-reply chain was seen addressed to a German-speaking recipient.

The lure is still a financial document, which seems to be the popular method to stir curiosity.

Emotet installed via malicious Word documents

One email seen by BleepingComputer contained a Word document with malicious macro code, which are disabled by default Microsoft's Office suite, specifically to protect users against this sort of abuse.

To overcome this, the document has a message prompting potential victims to enable macro content to accept a Microsoft license agreement or their copy of Word software will not work beyond September 20.

This trick may work with many users, though, since the crooks made the message look genuine by adding the Microsoft logo.

Below you can see part of the malicious macro that installs Emotet on the victim's computer. At the time of writing, the malware dropped this way is detected on the VirusTotal scanning platform by 16 out of 70 antivirus engines.

In the case of the Italian email, the macro runs a PowerShell command that contains URLs of several hacked websites to retrieve the payloads from. As usual, it comes in obfuscated form, but it is not much different than in previous campaigns; it is trivial to decode and renders the following commands:

The fresh Emotet campaign observed starting this morning clearly shows that the botnet is once again ready for business. At 4 AM EST Cofense Labs tweeted that the botnet resumed its operations.

A few minutes later, SpamHaus Project, an organization tracking spam-related activity worldwide announced that Emotet was "fully back in action" and provided a sample email indicating a recipient in Poland.

Security experts from the Cryptolaemus research group chimed in some time later with a list of compromised domains and the document template containing the malicious macro for payload delivery.

Multiple Word documents delivered through these Emotet campaigns have been fed to the automated analysis platform AnyRun, and they show that the same template was used for today's operation. Analysis is available here, here, and here.

Update [09/16/2019, 17:35 EST]: Article updated with new information confirming Trickbot as the payload for Emotet infections.

Related Articles:

Google's new AI search results promotes sites pushing malware, scams

TheMoon malware infects 6,000 ASUS routers in 72 hours for proxy service

Over 100 US and EU orgs targeted in StrelaStealer malware attacks

Tuta Mail adds new quantum-resistant encryption to protect email

Microsoft says Russian hackers breached its systems, accessed source code