HomesecurityEmotet spam Trojan comes to life again after 5 months of inactivity

Emotet spam Trojan comes to life again after 5 months of inactivity

After months of inactivity, the infamous Emotet Spamming Trojan is reviving as it launches a huge spam email campaign targeting users around the world.

Emotet is malware that spreads through spam emails containing malicious documents Word ή Excel. These documents use macros to download and install Emotet Trojan on the victim's computer, which installs other malware over time and uses the infected one. computer to send further spam emails.

Emotet trojan spam

Binary Defense researcher James Quinn told BleepingComputer that Emotet last appeared on February 7, 2020.

While the Emotet Cryptolaemus monitoring team is monitoring the infection and has seen its malicious modules updated over time, there has been no spam from botnet except for a few small ones tests earlier this week.

Emotet comes to life again

Today, Emotet suddenly came back to life with a spam campaign delivering emails containing malicious Word document spreadsheets.

Joseph Roosen, an expert on Emotet, said activity was limited at the beginning of the week, but the malicious documents included used old URLs.

Roosen said that the Emotet botnet now emits huge amounts of spam and that malicious documents use new addresses URL which are usually hacked websites WordPress.

One of the Emotet junk emails leaked to BleepingComputer by Binary Defense is a "shipping document" pretending to be a shipping document from

Emotet spam trojan

Confense Labs said the predominant template they see is "Jobs GO", and many use "Expedia Payment Transfer Tips" or W-9 template requests.

Emotet spam trojan

Word attachments use a new template that tells the user that it cannot be opened properly because it was created in iOS. Then it has an error in the template where when it opens it displays "Enable Edition" and not "Enable Editing".

This new document template has not been used before in previous campaigns and you can read the full text below.

In a BleepingComputer test, after activating the macros in a malicious document, a PowerShell command was executed that downloaded and executed Emotet from compromised WordPress sites.

This eventually led to the trojan being saved as% UserProfile% \ AppData \ Local \ dwmapi \ certmgr.exe.

Emotet spam trojan

An auto-run registry key will also be generated in HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run to start the Emotet trojan when booting Windows.

Once the malware is run, it will further develop malicious modules that steal a mail victim, spread to others computers or use the infected computer to send spam.

Over time, Emotet is known to install TrickBot trojan, which is then used for theft passwords, cookies, SSH keys, spread across a network and finally access to ransomware operators.

It is important to note that this new campaign is not aimed at a specific country but at users around the world.

If you have found out that you are infected with Emotet, it is recommended that you do so control network account and email to make sure no more has been compromised Appliances of your body.

To stay up to date with the latest Emotet updates, we suggest you follow the Emptet Cryptolaemus team on Twitter.

Malwarebytes also published an article with further IOCs related to this new campaign.


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.