The Emotet botnet was one of the largest ever seen and certainly one of the most dangerous. Phishing emails were used to infect devices with Emotet malware, which added the devices to the botnet. The operators of Emotet then sold access to other threat actors such as ransomware gangs. The botnet was shut down by an international law enforcement effort and the cleanup operation saw the malware removed from all infected devices. While that severely disrupted the Emotet operation for several months, the botnet is now back with a vengeance.

The TrickBot Trojan was one of the malware variants downloaded by Emotet, but it was used in the early stages of rebuilding the Emotet botnet, with the two malware operations completely reversing roles. The Emotet botnet has been rapidly rebuilt and is being used once again to infect victims’ devices with malware Qbot. Emotet is no longer relying on TrickBot to infect devices.

Emotet is once again being distributed by hijacking email threads and sending messages that appear to a reply to a previous conversation. While this method has previously seen malicious attachments added to those threads, according to Bleeping Computer a new tactic is now being used. A malicious hyperlink is inserted into the message threads that appears to be a link to a PDF file hosted on a remote server. In one example, “Please see attached and thanks” was inserted along with a hyperlink in response to a previous conversation.

If the link is clicked, the user is directed to what appears to be a shared document on Google Drive, where the user is asked to click the link to preview the PDF file. However, clicking the link attempts to open an appinstaller file hosted on Microsoft Azure. The user is required to accept the appinstaller prompt, which appears to be attempting to install an Adobe PDF component with permissions to use all system resources.

The package has a valid certificate and includes the Adobe PDF logo, but it will install a malicious appxbundle that will infect the user’s device with the Emotet Trojan. Emotet will then download other malicious payloads, which often lead to a ransomware attack. The Cryptolaemus group, which tracks and reports on Emotet activity, says the new URL-based lures are being used in addition to the standard Emotet tactics of distributing the malware using .zip and .docx email attachments.

The Emotet botnet has been rebuilt at a tremendous pace and there has been a massive increase in Emotet activity in the past few days. Malwarebytes detected a major spike in activity on November 26 and abuse.ch reported an even bigger spike on December 1, when 447% more malicious sites were being used to distribute the malware than in early November. Emotet has once again grown into a significant threat and its infrastructure has been upgraded to make it even more resilient and prevent any further takedown attempts by law enforcement. It is looking like the Emotet botnet is back and stronger than it was before the takedown.

So how can businesses protect against Emotet? End user training is important, but the tactics used by the Emotet gang are effective and fool many users into starting the infection process. The key to protection is to block the phishing emails that are the initial attack vector and that requires an advanced spam filtering solution.

TitanHQ has recently launched a new product – SpamTitan Plus – with significantly improved protection against malicious links which, along with dual antivirus protection and email sandboxing, can protect against phishing and malware threats delivered by email, even novel malware variants.

To find out more about how TitanHQ solutions can protect your business against malware, phishing, and ransomware attacks, give the TitanHQ team a call.