After Months Dormant, Emotet Trojan Returns To Target France, Japan And New Zealand


Emotet is a malware first identified in 2014, distributed by a hacker group named TA542 (or Mummy Spider).

Since then, the malware has evolved from its original roots as a simple banking Trojan, to a modular "Swiss Army knife" that can serve as a downloader, information stealer, and spambot depending on how the malware is deployed.

In short, Emotet is something to fear.

And in the months during the 'COVID-19' coronavirus pandemic, researchers found that the malware strain has been linked to several increasing botnet-driven malspam campaigns.

The Emotet botnet spreads through spam emails that contain malicious Microsoft Word documents or password-protected ZIP archive files as attachments. These files can download and install Emotet on a victim's computer if enabled if macros in attachment is enabled.

Once installed, Emotet can then steal victims' email, to then use it in additional spam campaigns.

This Emotet campaign is also capable of using the stolen attachments to improve the authenticity of its malicious emails.

Making things worse, this Emotet variant is even capable of delivering more dangerous payloads, like from other malware families including the Trickbot (a known vector used to deploy Ryuk and Conti ransomware payloads) and the QakBot trojans. This was made possible with the authors having other hacker groups renting their botnets.

The largest uptick in Emotet activity this 2020 coincided with its return on July 17 after a prolonged development period that lasted since February 7 earlier this year, with the malware sending as many as 500,000 emails on all weekdays targeting European organizations.

As a result of this, the French national cyber-security agency published an alert warning of the surge in Emotet attacks targeting the private sector and public administrations throughout the country.

"For several days, ANSSI has observed the targeting of French companies and administrations by the Emotet malware," the ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information) alert bulletin reads. "Special attention should be paid to this because Emotet is now used to deploy other malicious code that may have a strong impact on the activity of victims."

As ANSSI noticed, the Emotet botnet "also constructs phishing emails on the basis of information collected during the compromise of mailboxes, which it sends to exfiltrated contact lists, or more simply spoofs the image of entities, prior victims," adding that it is also targeting "all types of business sectors around the world."

Emotet malware campaign spiking in Japan.
Emotet malware campaign spiking in Japan. (Credit: CERT Japan)

This was followed by similar alert from both Japan and New Zealand, which also described a large uptick in Emotet malware attacks targeting their respective countries.

"The emails contain malicious attachments or links that the receiver is encouraged to download," New Zealand's Computer Emergency Response Team (CERT) said. "These links and attachments may look like genuine invoices, financial documents, shipping information, resumes, scanned documents, or information on COVID-19, but they are fake."

As for Japan, CERT Japan (JPCERT/CC) cautioned that it found an increase in the number of domestic domain (.jp) email addresses that have been infected with the malware and can be misused to send spam emails in an attempt to spread the infection further.

Emotet activity described in the alerts refers to email spam campaigns that originated from Emotet infrastructure and targeted companies and government agencies in the three countries.

Joseph Roosen, a member of Cryptolaemus, a group of security researchers that track Emotet malware campaigns, said that the Emotet botnet has been particularly active in recent weeks, especially in those three countries.

For example, Roosen said New Zealand had been heavily targeted by Emotet operators via emails originating from E3 (one of the three mini-botnets that make the larger Emotet infrastructure).

On the other hand, while E3 was spamming targets in New Zealand, Roosen said that all three mini-Emotet botnets (E1, E2, and E3) were targeting Japan. According to CERT Japan, these Emotet spam waves led to a tripling of Emotet sightings, causing the security experts in those countries to sound the alarm.

The Emotet malware diagram
The Emotet malware diagram. (Credit: WyzGuys Cybersecurity)

ANNSI provided a list of recommendations organizations should follow to prevent the Emotet infections, and what to do if ever their systems get infected:

  • Do not enable macros in attachments, and be particularly attentive to the emails received.
  • Limit Internet access for all agents to a controlled white list.
  • Disconnect compromised machines from the network without deleting data.
  • Because removal/cleaning by antivirus is not a sufficient guarantee, the only way to erase the malware is by reinstallation of the infected machines.
  • Victims can send samples they found for analysis in order to determine the IoCs that can be shared. This point is essential because the attacker's infrastructure evolves frequently, access to recent samples is therefore essential.

Previously, the Emotet went dormant because the malware had a flaw that allowed cybersecurity researchers to create a kill-switch, which prevented the malware from infecting systems.

"Most of the vulnerabilities and exploits that you read about are good news for attackers and bad news for the rest of us," Binary Defense's James Quinn said.

"However, it's important to keep in mind that malware is software that can also have flaws. Just as attackers can exploit flaws in legitimate software to cause harm, defenders can also reverse-engineer malware to discover its vulnerabilities and then exploit those to defeat the malware."

The kill-switch was alive between February 6, 2020 until August 6, 2020, the day the malware authors patched the malware and closed the vulnerability.

What this means, the kill-switch was only on for 182 days.