After months of inactivity, the infamous Emotet Spamming Trojan is reviving as it launches a huge spam email campaign targeting users around the world.
Emotet is malware that spreads through spam emails containing malicious documents Word ή Excel. These documents use macros to download and install Emotet Trojan on the victim's computer, which installs other malware over time and uses the infected one. computer to send further spam emails.
Binary Defense researcher James Quinn told BleepingComputer that Emotet last appeared on February 7, 2020.
While the Emotet Cryptolaemus monitoring team is monitoring the infection and has seen its malicious modules updated over time, there has been no spam from botnet except for a few small ones tests earlier this week.
Emotet comes to life again
Today, Emotet suddenly came back to life with a spam campaign delivering emails containing malicious Word document spreadsheets.
Joseph Roosen, an expert on Emotet, said activity was limited at the beginning of the week, but the malicious documents included used old URLs.
One of the Emotet junk emails leaked to BleepingComputer by Binary Defense is a "shipping document" pretending to be a shipping document from Loomis-express.com.
Confense Labs said the predominant template they see is "Jobs GO", and many use "Expedia Payment Transfer Tips" or W-9 template requests.
Word attachments use a new template that tells the user that it cannot be opened properly because it was created in iOS. Then it has an error in the template where when it opens it displays "Enable Edition" and not "Enable Editing".
This new document template has not been used before in previous campaigns and you can read the full text below.
In a BleepingComputer test, after activating the macros in a malicious document, a PowerShell command was executed that downloaded and executed Emotet from compromised WordPress sites.
This eventually led to the trojan being saved as% UserProfile% \ AppData \ Local \ dwmapi \ certmgr.exe.
An auto-run registry key will also be generated in HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run to start the Emotet trojan when booting Windows.
It is important to note that this new campaign is not aimed at a specific country but at users around the world.
To stay up to date with the latest Emotet updates, we suggest you follow the Emptet Cryptolaemus team on Twitter.
Malwarebytes also published an article with further IOCs related to this new campaign.