In 2019, security experts
In the last four months, Emotet was not spotted in the wild, but now the threat is back with an active spam distribution campaign. Researchers from Malwarebytes observed the Trojan started pumping out spam, spam messages initially targeted users in Germany, Poland and Italy, and also the US. The campaign continues targeting users in Austria, Switzerland, Spain, the United Kingdom, and the United States.
The researchers observed hundreds of thousands of messages were sent as part of this distribution effort.
The most notable characteristic of this campaign is the reuse of stolen email content to trick recipients into opening attachments or clicking on links pointing to
“Note the personalization in the email subject lines. Borrowing a tactic from North Korean nation-state actors, Emotet’s creators are bringing back highly sophisticated spear phishing functionality introduced in April 2019, which includes hijacking old email threads and referencing to the user by name.” reads the report.
The operators are hijacking legitimate email threads as part of a social engineering attack.
The same activity was observed by the malware researchers at Cisco Talos group.
“One of Emotet’s most devious methods of self-propagation centers around its use of socially engineered spam emails.
“Once they have swiped a victim’s email, Emotet constructs new attack messages in reply to some of that victim’s unread email messages, quoting the bodies of real messages in the threads,”
The operators are also using real subject headers and email contents in the attempt to bypass anti-spam systems.
“By taking over existing email conversations, and including real Subject headers and email contents, the messages become that much more randomized, and more difficult for anti-spam systems to filter.” continues Talos.
Emotet has been swiping email credentials for the victims and sharing them with other bots in its network to send out spam messages.
Experts at Talos discovered that in April 2019, Emotet was using
“Looking at all the email Emotet attempted to send during the month of April 2019, we found Emotet included stolen email conversations only approximately 8.5 percent of the time.
The operators used a large database of potential recipients in this last campaign, experts noticed that 97.5% of Emotet’s recipients reached in April 2019 received only a single spam message.