The malicious software had been slowly returning since November 2021, and saw a large number of phishing emails sent out with Emotet attached in April 2022.
Although it had previously been foiled by a global law enforcement effort, it looks like Emotet malware has returned behind a new campaign. New findings from cybersecurity company Check Point show that Emotet has reemerged since November 2021 as the most prevalent form of malware through an aggressive email drive using Easter themed phishing scams to distribute the botnet. According to Check Point’s researchers, it was reported that “Emotet is continuing its reign as the most popular malware, impacting 10% of organizations worldwide”.
“Technology has advanced in recent years to such a point where cybercriminals are increasingly having to rely on human trust in order to get through to a corporate network,” said Maya Horowitz, vice president of research at Check Point Software. “By theming their phishing emails around seasonal holidays such as Easter, they are able to exploit the buzz of the festivities and lure victims into downloading malicious attachments that contain malware such as Emotet. In the run up to Easter weekend, we expect to see more of these scams and urge users to pay close attention, even if the email looks like it’s from a reputable source. Easter isn’t the only public holiday and cybercriminals will continue to deploy the same tactics to inflict harm.”
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Emotet’s resurgence via email over Easter
Check Point notes that Easter seemed to signal the resurgence of Emotet’s deployment, as it launched an aggressive email campaign against its targets. The emails were sent to users all over the world with the subject line labeled “Buona Pasqua, happy easter”. These emails were found to have a malicious XML file attached to them that would deliver Emotet to the targeted system.
Emotet first appeared in 2014 as a trojan to assist malicious actors in stealing bank account information, eventually evolving into a larger threat for organizations through its use of a botnet. However, some cybersecurity experts have noted that the process of unpacking the malicious file itself would have been complicated for those intended victims, landing the Emotet attempt lower on the priority list than that of ransomware or other types of malicious software.
“I am pretty sure the average user would have to ignore two to three ‘This could be malware’ warnings, plus put in the password to an encrypted zip file to get access to it in the first place. Out of all the threats I worry about, the one that warns a user over and over is not top on my list,” said Roger Grimes, data-driven defense evangelist at KnowBe4. “With that said, the search and replacement DOS batch file scripting is interesting and unique. I have been disassembling and analyzing malware since 1987, and I do not remember seeing this type of function in DOS batch file coding. I might not be the first, but it is not common. Still, anyone fooled into running this code and bypassing all the warnings has to be among the most phishable people on the planet. And to be clear, I think these people do exist. There are people falling for this phishing scam or else Emotet would not be doing it. But it is not high on my list of things to worry about. A phishing attack with one or no warnings is far more concerning.”
Whether the Emotet malware will continue to be aggressive via email phishing campaigns or not remains to be seen, but it is important that users employ best practices and judgment along with zero-trust approaches to avoid being a casualty of this malicious software.
