December 2020’s Most Wanted Malware: Emotet Returns as Top Malware Threat

guest · Jan 7, 2021

December 2020’s Most Wanted Malware: Emotet Returns as Top Malware Threat
January 7, 2021
https://blog.checkpoint.com/2021/01...malware-emotet-returns-as-top-malware-threat/

Our latest Global Threat Index for December 2020 has revealed that the Emotet trojan has returned to first place in the top malware list, impacting 7% of organizations globally, following a spam campaign which targeted over 100,000 users per day during the holiday season.

In September and October 2020, Emotet was consistently at the top of the Global Threat Index, and was linked to a wave of ransomware attacks.
But in November it was much less prevalent, dropping to 5th place in the Index.
Click to expand...

It has now been updated with new malicious payloads and improved detection evasion capabilities: the latest version creates a dialogue box, which helps it evade detection from users. The new malicious spam campaign uses different delivery techniques to spread Emotet, including embedded links, document attachments, or password-protected Zip files.
Click to expand...

Top malware families
This Month, Emotet remains the most popular malware with a global impact of 7% of organizations, closely followed by Trickbot and Formbook – which impacted 4% of organizations worldwide, each.
Top exploited vulnerabilities
This month “MVPower DVR Remote Code Execution” is the most common exploited vulnerability, impacting 42% of organizations globally, followed by “HTTP Headers Remote Code Execution (CVE-2020-13756)” which impact 42% of organizations worldwide. “Web Server Exposed Git Repository Information Disclosure” is at third place in the top exploited vulnerabilities list, with a global impact of 41%.
Top mobile malware
This month, Hiddad holds 1st place in the most prevalent mobile malware, followed by xHelper and Triada.
Click to expand...

hawki · Jan 27, 2021

"Emotet: 'World's most dangerous malware' botnet disrupted by international police operation

The world's most prolific and dangerous malware botnet has been taken down following a global law enforcement operation that was two years in planning.

Europol, the FBI, the UK's National Crime Agency and others coordinated action which has resulted investigators taking control of the infrastructure controlling Emotet in one of the most significant disruptions of cyber-criminal operations in recent years..."

https://www.zdnet.com/article/emote...-disrupted-by-international-police-operation/

FanJ · Jan 27, 2021

Europol Press Release - 27 January 2021
World’s most dangerous malware EMOTET disrupted through global action
https://www.europol.europa.eu/newsr...alware-emotet-disrupted-through-global-action

Law enforcement and judicial authorities worldwide have this week disrupted one of most significant botnets of the past decade: EMOTET. Investigators have now taken control of its infrastructure in an international coordinated action.

This operation is the result of a collaborative effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust. This operation was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).
Click to expand...

Read more there; long article.

Minimalist · Feb 5, 2021

FBI leaned on Dutch cops' hacking in Emotet disruption

The operation involved officials from nine governments, but one move was decisive: Dutch police used their cyber authorities to infiltrate Emotet infrastructure. They slipped a software update onto the servers that cut off communications between infected computers and the botnet, halting its spread.
Click to expand...

https://www.cyberscoop.com/fbi-emotet-dutch-takedown-cybercrime/

guest · Nov 15, 2021

Emotet botnet returns after law enforcement mass-uninstall operation
November 15, 2021
https://therecord.media/emotet-botnet-returns-after-law-enforcement-mass-uninstall-operation/

The Emotet botnet is active again, ten months after Europol took down its command and control servers.

Law enforcement also mass-uninstalled Emotet from infected computers on April 25, this year.

New Emotet servers and malware samples have been seen on Sunday, November 14.

Click to expand...

The comeback is surprising because after taking over Emotet’s server infrastructure, law enforcement officials also orchestrated a mass-uninstall of the malware from all infected computers on April 25, effectively wiping out the entire botnet across the internet.

Once described as the “world’s most dangerous malware,” Emotet worked by sending massive waves of email spam to users all over the world in order to infect them with its malware strain.
All of this stopped in January when the Emotet gang lost access to the servers controlling its vast network of infected devices.
Click to expand...

Ten months later, Emotet returns
But over the weekend, security researcher Luca Ebach said he spotted that another malware botnet named TrickBot was helping the Emotet gang get back on its feet by installing the Emotet malware on systems that had been previously infected with TrickBot.

“We used to call this Operation ReachAround back when Emotet was dropped by Trickbot in the past,” a spokesperson for Cryptolaemus, a group of security researchers who tracked Emotet in the past, told The Record today.
“This is something they have done before and we knew it could be a way to come back,” Cryptolaemus told us, confirming Ebach’s findings.
Click to expand...

The new Emotet malware versions were also spotted on the third-year anniversary of the Cryptolaemus Twitter account, but it’s unclear if the Emotet administrators have intentionally planned for this to happen. The Cryptolaemus group played a crucial role in tracking, mapping, and then helping law enforcement take down Emotet earlier this year.

This is our 3rd anniversary of Cryptolaemus1. Thanks for all the follows and sharing of intel these past 3 years! To celebrate, Ivan has released a new version of Emotet because he feels left out and wants to be part of the party. More details coming soon. As always watch URLHaus pic.twitter.com/Qwvel32ibB
— Cryptolaemus (@Cryptolaemus1) November 15, 2021
Click to expand...

guest · Nov 17, 2021

Here are the new Emotet spam campaigns hitting mailboxes worldwide
November 16, 2021
https://www.bleepingcomputer.com/ne...t-spam-campaigns-hitting-mailboxes-worldwide/

The Emotet malware kicked into action yesterday after a ten-month hiatus with multiple spam campaigns delivering malicious documents to mailboxes worldwide.

Emotet is a malware infection that is distributed through spam campaigns with malicious attachments. If a user opens the attachment, malicious macros or JavaScript will download the Emotet DLL and load it into memory using PowerShell.
Click to expand...

Emotet spamming begins again
Last night, cybersecurity researcher Brad Duncan published a SANS Handler Diary on how the Emotet botnet had begun spamming multiple email campaigns to infect devices with the Emotet malware.

According to Duncan, the spam campaigns use replay-chain emails to lure the recipient into opening attached malicious Word, Excel, and password-protected ZIP files.
Reply-chain phishing emails are when previously stolen email threads are used with spoofed replies to distribute malware to other users.
Click to expand...

Defending against Emotet
Malware and botnet monitoring org Abuse.ch has released a list of 245 command and control servers that perimeter firewalls can block to prevent communication with command and control servers.

Blocking communication to C2s will also prevent Emotet from dropping further payloads on compromised devices.
Click to expand...

An international law enforcement operation took down the Emotet botnet in January 2021, and for ten months, the malware has not been active.

However, starting Sunday night, active TrickBot infections began dropping the Emotet loader on already infected devices, rebuilding the botnet for spamming activity.
The return of Emotet is a significant event that all network admins, security professionals, and Windows admins must monitor for new developments.
Click to expand...

guest · Nov 19, 2021

Emotet botnet comeback orchestrated by Conti ransomware gang
November 19, 2021
https://www.bleepingcomputer.com/ne...meback-orchestrated-by-conti-ransomware-gang/

The Emotet botnet is back by popular demand, resurrected by its former operator convinced by ex-members of the Ryuk ransomware gang.

Security researchers at intelligence company Advanced Intelligence (AdvIntel) believe that restarting the project was driven by the void Emotet itself left behind on the high-quality initial access market after law enforcement took it down ten months ago.
The revival of the botnet follows a long period of malware loader shortage and the decline of decentralized ransomware operations that allowed organized crime syndicates to rise again.
Click to expand...

Conti ransomware may rise to dominance
Considered the most widely distributed malware, Emotet acted as a malware loader that provided other malware operators initial access to infected systems that were assessed as valuable.

“Emotet’s strategic, operational, and tactical agility was executed through a modular system enabling them to tailor payload functionality and specialization for the needs of specific customers” - AdvIntel
Click to expand...

AdvIntel researchers say that once Emotet disappeared from the scene, top-tier cybercriminal groups, like Conti (loaded by TrickBot and BazarLoader) and DoppelPaymer (loaded by Dridex) were left without a viable option for high-quality initial access.

“This discrepancy between supply and demand makes Emotet’s resurgence important. As this botnet returns, it can majorly impact the entire security environment by matching the ransomware groups’ fundamental gap” - AdvIntel
AdvIntel researchers are confident that the Conti group will deliver their payload to high-value targets via Emotet once the botnet grows, and will become a dominant player on the ransomware scene.
Click to expand...

AdvIntel: Corporate Loader "Emotet": History of "X" Project Return for Ransomware

guest · Nov 22, 2021

Back from the dead: Emotet re-emerges, begins rebuilding to wrap up 2021
November 23, 2021
https://blog.talosintelligence.com/2021/11/emotet-back-from-the-dead.html

Emotet has been one of the most widely distributed threats over the past several years. It has typically been observed being distributed via malicious spam email campaigns, and often leads to additional malware infections as it provides threat actors with an initial foothold in an environment.

International police announced a takedown campaign to disrupt Emotet in early 2021, effectively removing the botnet from the threat landscape.
But as of last week, Emotet has re-emerged and has been observed establishing the infrastructure and distribution required to rebuild the botnets.
Click to expand...

While the current distribution campaigns are not at the same volumes as those previously observed when Emotet was at full strength, this is likely the beginning of a resurgence in Emotet activity that will continue to amplify as more systems become infected and are leveraged for spam distribution.
Click to expand...

hawki · Jun 8, 2022

"Emotet malware now steals credit cards from Google Chrome users

The Emotet botnet is now attempting to infect potential victims with a credit card stealer module designed to harvest credit card information stored in Google Chrome user profiles.

After stealing the credit card info (i.e., name, expiration month and year, card numbers), the malware will send it to command-and-control (C2) servers different than the ones the Emotet card stealer module...

As ESET revealed on Tuesday, Emotet has seen a massive increase in activity since the start of the year..."

https://www.bleepingcomputer.com/ne...steals-credit-cards-from-google-chrome-users/

guest · Nov 16, 2022

Emotet Malware Returns in High-Volume Email Campaign
By Lindsey O’Donnell-Welch - November 16, 2022

The Emotet malware has returned after a four-month hiatus in a high-volume malicious email campaign. The campaign contains several marked differences that researchers say may reflect new operators or management behind the malware.
Click to expand...

Since early November, researchers with both Cisco Talos and Proofpoint have observed the malware being distributed via hundreds of thousands of malicious email campaigns daily, which continue to target organizations in the U.S. as well as other countries. Emotet has regularly adopted various new tactics after returning in 2021, nearly ten months after law enforcement disrupted its infrastructure in an international coordinated operation.

“Proofpoint expects that the actor will continue to evolve, with potential for higher email volumes, more geographies targeted, and new variants or techniques of attached or linked threats,” said Pim Trouerbach and Axel F, researchers with Proofpoint, in a Wednesday analysis. “Additionally, given the observed changes to the Emotet binary, it is likely to continue adapting as well.”
Click to expand...

Following Microsoft’s recent announcement that it would begin disabling macros by default in Office documents downloaded from the internet, many malware families have begun migrating away from Office macros to other delivery mechanisms like ISO and LNK files. Therefore, it is interesting to note that this new campaign of Emotet is using its old method of distributing malicious MS Office documents (maldocs) via email-based phishing.

The malware is delivered via email spam messages that contain a zip file with a XLS file inside, or the XLS attached directly to the email.
Click to expand...

Cisco Talos: Emotet coming in hot

November 8, 2022
Emotet is a ubiquitous and well-known banking trojan that has evolved over the years to become a very successful modular botnet capable of dropping a variety of other threats. Even after a global takedown campaign in early 2021 disrupted the botnet, it reemerged later that year, rebuilding its infrastructure and becoming highly active in a short time.

Emotet is back again with a new campaign displaying many characteristics of older runs, including the use of Auto_Open macros inside XLS documents. Cisco Talos has observed an increased activity of spam distributing this new strain beginning in early November 2022, and the volume of spam and Emotet infrastructure has been increasing since then to target multiple geographies around the world.
Click to expand...

Proofpoint: A Comprehensive Look at Emotet’s Fall 2022 Return

By Pim Trouerbach and Axel F - November 16, 2022
Key Takeaways

Emotet returned to the email threat landscape in early November for the first time since July 2022. It is once again one of the most high-volume actors observed by Proofpoint, distributing hundreds of thousands of emails per day.

Proofpoint observed multiple changes to Emotet and its payloads including the lures used, and changes to the Emotet modules, loader, and packer.

Emotet was observed dropping IcedID.

The new activity suggests Emotet is returning to its full functionality acting as a delivery network for major malware families.

New operators or management might be involved as the botnet has some key differences with previous deployments.

Click to expand...

guest · Jan 24, 2023

Emotet Malware Makes a Comeback with New Evasion Techniques
By Ravie Lakshmanan - January 24, 2023

The Emotet malware operation has continued to refine its tactics in an effort to fly under the radar, while also acting as a conduit for other dangerous malware such as Bumblebee and IcedID.
Click to expand...

Emotet, which officially reemerged in late 2021 following a coordinated takedown of its infrastructure by authorities earlier that year, has continued to be a persistent threat that's distributed via phishing emails.

Attributed to a cybercrime group tracked as TA542 (aka Gold Crestwood or Mummy Spider), the virus has evolved from a banking trojan to a malware distributor since its first appearance in 2014.
The malware-as-a-service (MaaS) is also modular, capable of deploying an array of proprietary and freeware components that can exfiltrate sensitive information from compromised machines and carry out other post-exploitation activities.
Click to expand...

Recent campaigns involving the botnet have leveraged generic lures with weaponized attachments to initiate the attack chain. But with macros becoming an obsolete method of payload distribution and initial infection, the attacks have latched on to other methods to sneak Emotet past malware detection tools.

"With the newest wave of Emotet spam emails, the attached .XLS files have a new method for tricking users into allowing macros to download the dropper," BlackBerry disclosed in a report published last week. "In addition to this, new Emotet variants have now moved from 32bit to 64bit, as another method for evading detection."
Click to expand...

BlackBerry: Emotet Returns With New Methods of Evasion

January 20, 2023
Emotet, a Trojan that is primarily spread through spam emails, has been a prevalent issue since its first appearance in 2014. With a network made up of multiple botnets, denoted as “epochs” by security research team Cryptolaemus, Emotet has continuously sent out spam emails in campaigns designed to infect users via phishing attacks. Once it is successfully running on an endpoint, Emotet drops other malicious programs such as Qakbot, Cobalt Strike, or in some cases, even the notorious Ryuk ransomware. However, as of July 2022, the heavily distributed Malware-as-a-Service (MaaS) seemingly went dark, and no longer appeared to be running these spam campaigns.
Click to expand...

For the next four months, Emotet remained silent. Then, on November 2, the Cryptolaemus group found that its botnets, particularly those known as Epoch4 and Epoch5, had begun sending out spam emails once again. These phishing emails used various methods to lure victims into first opening them, and then downloading and executing .xls files, with macros used to download the Emotet dropper. With as little fanfare as when it went dark, it seems that Emotet has returned, appearing to be as malicious as ever.
Click to expand...

Log in or Sign up

December 2020’s Most Wanted Malware: Emotet Returns as Top Malware Threat

guest Guest

hawki Registered Member

FanJ Updates Team

Minimalist Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

hawki Registered Member

guest Guest

guest Guest

Log in or Sign up

December 2020’s Most Wanted Malware: Emotet Returns as Top Malware Threat

guest Guest

hawki Registered Member

FanJ Updates Team

Minimalist Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

hawki Registered Member

guest Guest

guest Guest

Useful Searches