Refreshed from its holiday, Emotet has gone phishing • The Register
Emotet is back. After another months-long lull since a spate of attacks in November 2022, the notorious malware operation that has already survived a law enforcement takedown and various periods of inactivity began sending out malicious emails on Tuesday morning.
Researchers with cybersecurity firms Codefense and Cryptolaemus, which track Emotet activity, both reported a sudden startup in the spamming from the botnet. And Palo Alto Networks’ Unit 42 threat intelligence group tweeted about the new activity, with the researchers saying they had “also seen new #Emotet #malspam and the associated malware (inflated Word docs and inflated Emotet Dll files).”
It’s unknown why the operation has started up now after three months of no activity, or how long it will last – the previous spamming in November 2022 lasted two weeks before everything stopped, and even that was preceded by three months of quiet.
However, Emotet’s return has generated a lot of discussion in the cybersecurity world about malware that less than a year ago was ranked by Check Point as the world’s top cyberthreat.
“We are seeing [Emotet’s] Red Dawn templates that are very large coming in at over 500MB,” Cryptolaemus tweeted about the Russia-linked malware operation. “Currently seeing a decent flow of spam … Get ready because here comes fat docs from Ivan!”
An evolving threat
Emotet started life almost a decade ago as a banking trojan, but it soon evolved into a malware delivered through spear-phishing campaigns, including emails that contain malicious Microsoft Word and Excel attachments. In January 2021, law enforcement from the US, UK, Europe, and Ukraine took apart the operation’s infrastructure, but the group resurfaced 10 months later.
“The malware and actors resumed operations with a vengeance and rose back up to become one of the top malware families used in phishing attacks,” cybersecurity outfit AttackIQ wrote in a report last month.
One of Emotet’s attributes has been its flexibility in attachment types used to evade detection signatures, according to AttackIQ.
Codefense writes that the malicious emails being sent this week appear to be replying to email chains that already exist, with ZIP…