Defenders detected a 28-fold surge in Emotet email spam

Despite best law enforcement efforts, Emotet is still at large. More than a year after its disruption, it has sprung back up to being the most dangerous malware, affecting 6% of organizations.

“Emotet has been one of the most professional and long-lasting cybercrime services out there,” Europol said in a press release in January 2021, after disrupting one of the most dangerous malware of the past decade.

Now, multiple cybersecurity companies claim Emotet is back. Recently, Check Point Research reported that Emotet, an advanced, self-propagating, and modular Trojan, is the most prevalent malware and impacts 6% of organizations worldwide.

HP Wolf Security detected a surge in Emotet email spam, primarily targeting Japanese organizations.

Emotet at large

The Emotet infrastructure acted as a primary door opener for computer systems. Once unauthorized access was established, they were sold to cybercriminals to further exploit the system, for example, deploying ransomware.

The criminal empire went silent and was largely inactive from January to October 2021. However, from October, Emotet started being delivered as a secondary payload after a PC is infected with TrickBot malware.

HP Wolf Security reported a 2,823% increase in Emotet email spam in Q1 compared to the previous quarter.

“The malware rose 36 places to become the most popular family in circulation, behind Agent Tesla and Nemucod,” the company said in Threat Insights Report.

The campaigns primarily targeted Japanese organizations through malicious Excel spreadsheets. HP Wolf Security detected a 23% increase in spreadsheet threats over the last quarter.

Emotet’s operators have used email thread hijacking to trick recipients into infecting their PCs.

“By exfiltrating victims’ email mailboxes, the botnet spoofs sender addresses, subject lines, attachment file names, and the body text of emails. This stolen data is used to craft convincing emails that are sent as replies to existing email threads, with the goal of tricking targets into opening malicious email attachments and links,” HP Wolf Security said.

A variety of different lures were used to trick unsuspecting users into opening those malicious files. In the past, Emotet email campaigns have also been presented as invoices, shipping notices, and information about COVID-19.

Among top malware families

A recent report by Check Point Research listed Emotet, which was once used as a banking Trojan but has recently been used as a distributer to other malware or malicious campaigns, as the most popular malware impacting 6% of organizations worldwide. It was closely followed by infostealer Formbook (3% of organizations worldwide) and Agent Tesla, an advanced RAT functioning as a keylogger and information stealer (2% global impact).

“In fact, there are reports that Emotet has a new delivery method; using phishing emails that contain a OneDrive URL. Emotet has many uses after it succeeds in bypassing a machine’s protections. Due to its sophisticated techniques of propagating and assimilation, Emotet also offers other malware to cybercriminals on dark web forums, including banking trojans, ransomware, botnets, etc.,” Check Point Research said.

As a result, once Emotet finds a breach, the consequences can vary depending on which malware was delivered after the breach was compromised.