Two weeks after France, Japan and New Zealand issued warnings to increase Emotet activity, new warnings were issued last week by Italy, the Netherlands and Microsoft. These new warnings come as Emotet activity continues to grow significantly, overshadowing the activity of any other malware currently in the threat landscape.
Joseph Roosen, a member of Cryptolaemus, a team of security researchers who monitor campaigns of Emotet malware, told ZDNet yesterday that a strong Emotet has been observed spam lately. Roosen noted that he has been receiving about 400 for the past two weeks e-mail per day, while usually receiving from twelve to 100.
Emotet, which is by far the biggest malware botnet, was inactive from February to July 2020, when it made its return. Its pilots sought a quick return to the threat landscape, but their plans were thwarted and Emotet's return was delayed by about a month, as a hacker invaded their infrastructure and replaced the malware with GIFs.
This, however, did not last long, as Emotet operators finally found a way to stop the hacker and now have full control of their botnet, which they use to generate more and more spam emails on a daily basis.
These spam emails are accompanied by malware archives, which infect the host with Emotet malware. Emotet operators then sell access to infected servers in other hacking gangs, including operators ransomware. Many times, and especially in large corporate environments, an Emotet infection can turn into an ransomware attack within hours.
This is why cybersecurity services, CERT (Computer Emergency Response Teams) teams in France, Japan, New Zealand, Italy and the Netherlands, as well as Microsoft, are worried about Emotet spam campaigns and while also issuing warnings to companies, urging them to strengthen their defenses to avoid Emotet spam.
It is worth noting that Emotet malware has a wide variety in its spam businesses. Roosen, who has been following the botnet for years, said that Emotet has been using a technique called "email chains" since October 2018. Hijacked threads. The technique is based on the Emotet malware gang that first steals an existing email chain from an infected server and then responds to the email chain with its own response, using a forged ID, while also adding a malicious document, hoping to motivate participants. in the email chain to open the file and get "infected". It is a smart but effective technique, which was analyzed in a report by Palo Alto Networks published yesterday.
However, warnings from Microsoft and the Italian authorities point to another recent change in Emotet malware spam campaigns, which are now also exploiting password-protected ZIP files instead of its documents Office. The reason this is done is because using files that are protected by code email security gateways cannot open the file to scan its contents and therefore cannot detect traces of Emotet malware inside.
Finally, Roosen pointed out that the Emotet gang has been using this technique sparingly since mid-2019, but has recently begun to use it more extensively in Emotet spam campaigns. This is exactly the reason why Microsoft and other players are now reacting to its sudden "outbreak".