The Emotet malware is once again making the titles. According to a new AdvIntel report, so far in 2022, a total of 1,267,598 Emotet infections have been detected worldwide, with significant peaks between February and March, and June and July. The malware has been leveraged by post-Conti ransomware groups such as Quantum and BlackCat.
Emotet Malware: Short History
Shortly said, Emotet is an “all-in-one malware” which could be set by threat actors to either download other malware and steal files by intercepting internet traffic, or recruit the compromised systems into its botnet network. Known since at least 2014, the malware has been used in various attacks against both private targets and company and government networks. The malware was initially designed as a banking trojan, and is believed to be of Eastern European origin.
“The Emotet botnet (also known as SpmTools) has fueled major cybercriminal groups as an initial attack vector, or precursor, for numerous ongoing attacks. From November 2021 to Conti’s dissolution in June 2022, Emotet was an exclusive Conti ransomware tool, however, the Emotet infection chain is currently attributed to Quantum and BlackCat,” AdvIntel’s report noted.
In August 2020, security researchers created an exploit and subsequently a killswitch (dubbed EmoCrash) to prevent the malware from spreading. Before being stopped by law enforcement, it was actively distributed in spam campaigns themed with the coronavirus pandemic. Then, in 2021, months after it was dismantled by law enforcement, Emotet was resurrected. A report by security researcher Luca Ebach saw signs of Emotet usage in the wild in November last year, indicating that TrickBot was being utilized to deploy a new variant of Emotet on systems previously compromised by TrickBot.
Current Emotet Activity [2022]
The current botnet flow for the malware, as per the report, is Emotet – Cobalt Strike – Ransomware Operation. This means that the threat actors are now using it primarily as a malware dropper/downloader for a Cobalt Strike beacon. The latter deploys the payload which enables the hackers to compromise networks and carry out ransomware attacks.
The malware can be used in any of the following malicious activities:
- Discovery of email accounts;
- Brute forcing;
- Harvesting credentials from password stores and web browsers;
- Obtaining local email collections;
- Exfiltration of sensitive data over its command-and-control channel;
- Process injections (DLLinjections);
- Execution of the malware which relies on user interaction (such as opening a malicious email attachment).
We will continue to monitor Emotet’s activity and inform you on any new occurrences.
Related Story: Malware Statistics 2022: Ransomware Continues to Be the Top Threat
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: