The notorious Emotet malware operation is exhibiting a strong resurgence more than a year after being effectively shut down. Check Point researchers put the Windows software nasty at the top of their list as the most commonly deployed malware in a March threat index, threatening or infecting as many as 10% of organisations around the world during the month – an almost unbelievable figure, and more than double that of February.
Now, according to Kaspersky Labs, a swiftly accelerating and sophisticated spam email campaign is intriguing targets with fraudulent emails designed to swindle them into unpacking and installing Emotet or Qbot malware, which can steal data, collect information on a compromised corporate network, and move laterally through the network to install ransomware or other trojans on networked computers.
Qbot, which is associated with Emotet's operators, is also capable of accessing and stealing emails. In a blog post this week, Kaspersky's email threats protection group manager, Andrey Kovtun, stated.
In February, Kaspersky discovered 3,000 malicious Emotet-linked emails, followed by 30,000 a month later, in languages including English, French, Italian, Polish, Russian, and Spanish.
Kovtun wrote, "Some letters that cybercriminals send to the recipients contain a malicious attachment. In other cases, it has a link which leads to a file placed in a legitimate popular cloud-hosting service. Often, malware is contained in an encrypted archive, with the password mentioned in the e-mail body."
The spam email often claims to include essential information, such as a commercial offer, in order to persuade the recipient to open the attachment or download the harmful file via the link.
"Our experts have concluded that these e-mails are being distributed as part of a coordinated campaign that aims to spread banking Trojans," he wrote further.
Cryptolaemus, a group of security researchers and system administrators formed more than two years ago to combat Emotet, announced on Twitter this week that one of the botnet subgroups has switched from 32-bit to 64-bit for loaders and stealer modules, indicating the botnet's operators' continued development. Emotet immediately resurfaced in the malware world's upper echelons. Europol, along with police departments from the United States, Germany, the United Kingdom, and Ukraine, completed a multinational takedown of the primary botnet deploying Emotet in February 2021. Raids on the accused operators' houses in Ukraine were part of the operation.
The raid, according to Europol, substantially impacted Emotet's operations, which were used to infiltrate thousands of firms and millions of computers around the world.
However, in publishing its March threat index, Check Point Research stated that Emotet resurfaced in November 2021 and has gained traction after the Trickbot botnet infrastructure was shut down in February. It is once again the most common malware.
The researchers wrote, "This was solidified even further [in March] as many aggressive email campaigns have been distributing the botnet, including various Easter-themed phishing scams exploiting the buzz of the festivities. These emails were sent to victims all over the world with one such example using the subject 'Buona Pasqua, happy easter,' yet attached to the email was a malicious XLS file to deliver Emotet."