A notorious botnet has begun sending out spam again after a several month hiatus, which could spend bad news for organizations around the world.
Emotet has been dormant for around four months, but starting pumping out spam on Monday morning, with phishing emails sent in German, Polish, English and Italian, according to Malwarebytes.
The firm said that an uptick in command-and-control (C2) server activity forewarned it of a return to the front line for the infamous botnet.
In this new campaign, users are tricked into opening an attached document and enabling macros, triggering a PowerShell command which will try to download Emotet from compromised sites, often those running WordPress.
“Once installed on the endpoint, Emotet attempts to spread laterally, in addition to stealing passwords from installed applications. Perhaps the biggest threat, though, is that Emotet serves as a delivery vector for more dangerous payloads, such as ransomware,” warned Malwarebytes.
“Compromised machines can lay in a dormant state until operators decide to hand off the job to other criminal groups that will attempt to extort large sums of money from their victims. In the past, we’ve seen the infamous Ryuk ransomware being deployed that way.”
Linked to the North Korean Lazarus Group, Ryuk is thought to have made almost $3.8m for its operators in the six months to January 2019.
Like Trickbot, Emotet was originally a banking Trojan that was re-written to function as a malware loader. Its operators sell access to the botnet for clients to use as a malware distribution network.
According to Malwarebytes, Emotet malware was detected and removed over 1.5 million times between January and September 2018 alone. In July last year, the threat became so serious that the US-CERT was forced to release an alert about Emotet and its capabilities.