UPDATED 22:25 EST / JULY 19 2020

SECURITY

Emotet botnet returns with new Microsoft Office phishing campaign

The infamous botnet Emotet is back after a five-month break with a new Microsoft Office phishing campaign.

The return of Emotet was first spotted by Malwarebytes Labs July 13 and the campaign took off by July 17.

Emotet first emerged in 2014, and though primarily known as a botnet, the Emotet name is also applied to a form of malware. It’s designed to steal account credentials pushed out by the Emotet botnet previously focused on stealing banking account credentials.

Even in the COVID-19 era, nothing much has changed with the new Emotet campaign. Messages sent out usually involve a malicious Microsoft Office document that when clicked gives an Office 365 error message generated by an obfuscated macro script.

Once users approve the macro, the code launches PowerShell to retrieve the Emotet binary from a remote compromised website. Having gained access, those behind Emotet can wait days or even weeks to take further action, including the ability to install other forms of malware on a victim’s computer.

Security firm Proofpoint also spotted the return of Emotet, writing that the botnet and related malware have evolved and are no longer focused on stealing banking credentials alone. They can also install other malware designed for spamming, general credential stealing, email harvesting and spreading on local networks.

On July 17 an estimated 250,000 messages had been sent by Emotet and the number has continued to climb. According to Proofpoint, threat actor TA542 is believed to be behind the campaign. The hacking group is also known as Mummy Spider and Gold Crestwood.

Erich Kron, security awareness advocate at security awareness training firm KnowBe4 Inc., told SiliconANGLE it’s notable that the group is back on the scene after taking a hiatus, much like the Dridex group.

“Given the significant size of the campaign and focus on infected Word documents, this would be a great time to warn users to be aware that these document types are being used, so they can be careful if the receive them in an email or a through a link,” Kron said. “The timing, right before a weekend, could also be purposeful as they may hope to infect machines before people quit working on Friday and have the weekend to deploy and create havoc before employees return to working on Monday.”

Image: Malwarebytes

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU

Cookies

We employ the use of cookies. Find out more.