Emotet Botnet Grows in Size and Activity
The Malware May Soon Switch to New Payloads That Are Caught by Fewer Antivirus Engines.
Known as a banking Trojan, Emotet is a kind of malware that belongs to the banking Trojans malware strain. Malspam, which are spam emails that contain malware, is the primary method of spreading it (hence the term). Users are more likely to be persuaded if the communications feature recognized branding and are formatted in the same way as emails from well-known and trustworthy organizations such as PayPal or DHL.
Because of a recent spike in dissemination, the Emotet malware is anticipated to shortly transition to new payloads that are now identified by fewer antivirus engines.
Emails with dangerous payloads have surged tenfold in recent months, according to security experts who are monitoring the botnet.
Because of its sluggish but steady growth since the beginning of this year, it is possible that its operators are changing up a gear at this point in their operations.
A study issued today by Kaspersky indicates that Emotet activity has increased dramatically from February to March, with an increase from 3,000 emails to 30,000 emails in only two months’ time.
Kaspersky experts have detected significant growth in complex malicious spam emails targeting organizations in various countries. These emails are being distributed as part of a coordinated campaign that aims to spread Qbot and Emotet – two notorious banking Trojans that function as part of botnet networks. Both malware instances are capable of stealing users’ data, collecting data on an infected corporate network, spreading further in the network, and installing ransomware or other Trojans on other devices in the network. One of the functions of Qbot is also to access and steal emails.
While this campaign has been ongoing for a few months, its activity increased rapidly from ~3,000 emails in February 2022 to ~30,000 in March. Malicious emails have been detected in the English, French, Hungarian, Italian, Norwegian, Polish, Russian, Slovenian and Spanish languages.
The malware-spreading campaign is structured as follows: cybercriminals intercept already existing correspondence and send the recipients an email containing a file or link, which often leads to a legitimate popular cloud-hosting service. The aim of the email is to convince users to either (i) follow the link and download an archived document and open it – sometimes using a password mentioned in the email, or (ii) simply open an email attachment. To convince users to open or download the file the attackers usually state that it contains some important information, such as a commercial offer.
English, French, Hungarian, Italian, Norwegian, Polish, Russian, Slovenian, Spanish, and Chinese are among the languages utilized in these communications.
Emotet distributors are well-known for changing the themes on a regular basis in order to take advantage of seasonal interest swifts. Instead, they are taking advantage of the Easter holiday celebrations.
As BleepingComputer reports the security researchers from the Cryptolaemus security research group, who are keeping a close eye on the Emotet botnet’s activity, reported that the malware’s operators have also switched to 64-bit loaders and stealer modules on Epoch 4, one of the botnet’s subgroups that runs on its own infrastructure. Previous versions of the software made use of 32-bit programming.
🚨#Emotet Update🚨 – Looks like Ivan laid an egg for easter and has been busy. As of about 14:00UTC today 2022/04/18 – Emotet on Epoch 4 has switched over to using 64-bit loaders and stealer modules. Previously everything was 32-bit except for occasional loader shenanigans. 1/x
— Cryptolaemus (@Cryptolaemus1) April 19, 2022