This month has seen a return of the Emotet botnet after a 4-month period of inactivity, with a high-volume email campaign identified that is increasing the size of the botnet. Emotet started life as a banking Trojan but has been updated over the years to add new functionality. Devices infected with Emotet are added to the botnet and can be used for a variety of purposes, but one of the main functions of Emotet is as a malware dropper, delivering additional malicious payloads on devices once the botnet operator has achieved their own goals. Currently, Emotet is being used to drop a new variant of the IcedID loader. IcedID is a banking Trojan that is similarly used to drop other malware variants.

Emotet is primarily spread via phishing emails, with the campaigns typically consisting of hundreds of thousands of emails a day. The lures used in these messages are often changed, but the threat actor behind Emotet tends to opt for traditional lures such as IRS notifications and business-themed emails. The Emotet Trojan is able to hijack message threats from infected devices and reply, including a copy of itself in the emails. Since the emails come from a genuine email account and appear to be a response to a past conversation, the probability of the recipient opening the email and attachment is all the greater.

The emails in the latest campaign still use XLS attachments with Auto_Open macros to deliver the malicious payload, despite Microsoft disabling macros in files delivered via the Internet. In some of the emails, the .xls file is directly attached to the email, although it is commonly included in a .zip file. The zip files are often password-protected to prevent them from being scanned by email security solutions, with the password – and often little else other than the file name and a signature – included in the message body.

To get around Microsoft’s macro protections, the user is advised when they open to the .xls file to copy the file to a whitelisted directory and reopen it. The user is told this is a necessary requirement of their security policy to be able to view the contents of the file, with instructions provided for different Microsoft Office versions. By copying the file to the suggested location and then reopening it, Microsoft’s protections will not be applied, and the macro will be able to run. The latest campaign is predominantly targeting the United States, although it is likely that the campaign will be expanded to target other geographical regions.

Defending against Emotet requires a combination of measures. While email security solutions such as SpamTitan can detect and block Emotet phishing emails, a defense-in-depth approach is recommended that includes comprehensive security awareness training for the workforce and more advanced endpoint detection solutions than standard antivirus software.

TitanHQ offers security awareness training and phishing simulations through the SafeTitan platform which trains employees how to recognize the phishing emails that are being used to deliver Emotet. The phishing simulator includes real-world examples of the types of emails that the gang uses to trick employees into installing Emotet.

For further information on improving your defenses against Emotet and other email threats, give the TitanHQ team a call. All TitanHQ cybersecurity solutions are available on a free trial to allow you to test them for effectiveness and usability before making a decision about a purchase.