Emotet Returns After Holiday Break

Delaware, USA – January 17, 2019 – After a short holiday rest, the Emotet returns to new attacks with refreshed features. The malware is distributed via email campaigns bringing new tricks.

In current campaigns, the Emotet is delivered in two different ways. One version outspreads via a stream of emails in different languages informing about invoices or package delivery defrauding users to open the Word attachment that installs the malware. Another type of malspam campaign comes with a direct url link in the email body. Once the attachment or the link opened, the malicious PowerShell script downloads and runs Emotet executable hosted on a compromised website. Malware operators use a list of URLs in the script so that if the malware is removed from one of the hacked servers, the downloader won’t lose its effectiveness.

First identified in 2014 as banking malware, the Emotet Trojan is a constantly improving and developing malware strain capable of delivering banking trojans, information stealers, and ransomware. Late December 2018, the Ryuk ransomware which seriously disrupted crucial production and printing processes of multiple US newspapers is linked by the researchers to the Emotet and TrickBot trojans. Emotet returns broadly targeted and modified, so we have updated the Emotet Trojan detector to secure your infrastructure: https://tdm.socprime.com/tdm/info/1279/