The Emotet botnet sprang back to life and started sending large volumes of malicious spam emails earlier this month. The botnet consists of hundreds of thousands of computers that have been infected with Emotet malware and is capable of sending huge spam campaigns.

Emotet malware steals usernames and passwords for outgoing email servers, which are used to send emails from a company’s legitimate email server. This tactic helps to ensure the emails are delivered because the mail servers used to send the messages are trusted. The volume of emails sent from those mail servers is also limited to stay under the radar and avoid detection by security teams.

The emails contain a malicious attachment or a hyperlink that directs the recipient to a website where Emotet malware is downloaded. These malicious sites often change, and most commonly are compromised WordPress sites. The attachments are commonly Word documents with malicious macros, which launch PowerShell commands that download the Emotet payload.

Once installed, Emotet starts sending emails to infect more devices but is also used to deliver other malware payloads, typically a banking Trojan such as TrickBot or QakBot. Both Trojans have been distributed by Emotet malware in the latest campaign.

Emotet is one of the main malware threats, and was the leading malware threat in 2018 and 2019. It is also one of the most dangerous. Infection with Emotet will eventually also see a banking Trojan downloaded, and that Trojan is often used to deliver ransomware.

The Emotet gang targets businesses and uses a wide range of lures in its campaigns. Fake invoices, shipping notices, job applications, and purchase orders are often used. A commonly used tactic used which has proven to be extremely effective is the hijacking of email threads. Emotet uses legitimate email threads and inserts links and attachments. The hijacking of email threads adds credibility to the emails, as it appears that the email is a response to a previous conversation with a known and trusted contact. The response appears to be a follow up on a past conversation.

The latest campaign has seen the Emotet gang adopt a new tactic, one that has not been used before. Emotet has been updated to allow email attachments to be added to the emails, in addition to hijacking email threads. Researchers at Cofense intercepted emails sent by Emotet malware, one of which included a hijacked email thread along with 5 legitimate email attachments, a combination of rich text Files (.rtf) and PDFs. The email asked the recipient to “see/review attached”, and a link was included in the body of the email. The attached files were benign, but the link was malicious.

Emotet infections demonstrate quite clearly why it is important to not only filter inbound emails, but to also adopt an email security solution that scans outbound email messages, including outbound emails that are sent internally. Emotet is often spread internally in an organization, so one infected machine often leads to several on the network being infected. These attacks can be incredibly costly to resolve. An Emotet attack on the City of Allentown, PA cost in excess of $1 million to fix.

Spam filtering solutions need advanced threat detection capabilities such as sandboxing to identify malicious attachments, and since emails often change, machine learning capabilities are necessary to identify zero-day attacks – New tactics, techniques, and procedures that have previously not been used.

SpamTitan incorporates all of these advanced threat detection measures and will help to protect you from Emotet and other malware and phishing threats delivered via email. For more information on the capabilities of SpamTitan, to register for a free trial to test the solution, or to book a product demonstration, give the TitanHQ team a call today.