Emotet Campaign Ramps Up with Mass Email Harvesting Module

The new variant can exfiltrate emails for a period going back 180 days, en masse.

A large-scale spam campaign has launched, spreading the Emotet banking trojan. Worryingly, the offensive has launched about a week after a fresh module for mass email-harvesting was detected for the malware.

Emotet is technically a banking trojan, but it’s most often used as a dropper for a variety of secondary payloads (including TrickBot, Zeus Panda Banker, IcedID and other malwares), with credential-stealing, network propagation, sensitive information harvesting, port forwarding and other capabilities. It has a flexible, modular architecture, which, when combined with its persistence and worm-like method of rapid self-propagation throughout networks, makes it a considerable threat.

US-CERT in July issued a security notice for Emotet, noting that it’s “among the most costly and destructive malware affecting state, local, tribal and territorial (SLTT) governments.” It also said Emotet infections have cost SLTT governments up to $1 million per incident to remediate.

Recently, Emotet added a new module to up the ante on its ability to harvest victim email account credentials and contact lists: It can now exfiltrate entire email contents stretching back 180 days.

“Not only does that ratchet up the risk of losing sensitive information, it also means many victims will be required to initiate data breach notification protocol,” Barkly researchers said in an email alert last week on the new module. “In addition to infecting new victims with the module, attackers are also installing it on previously infected machines they still have access to.”

Click to enlarge.

Just after that discovery, ESET noticed the latest campaign ramping up last week, following a bit of a lull for the malware’s activity. The spam is well-crafted, and contains malicious links or Microsoft Word and PDF attachments disguised as invoices, bank account alerts or payroll reports. The messages purport to be from major banks, and use legitimate logos and other visuals to be more convincing.

The messages appear to be targeting English and German-speaking users in this latest Emotet campaign and appears to be most active in the Americas, the U.K., Turkey and South Africa.

“Following the instructions in the document, the victim enables macros in Word or clicks on the link in the PDF,” explained ESET researchers, in a post on Friday. “The Emotet payload is subsequently installed and launched, establishes persistence on the computer and reports the successful compromise to its command-and-control server. In turn, it receives instructions on which attack modules and secondary payloads to download.”

Click to enlarge: Emotet detections are spiking.

They also said that new builds of Emotet binaries are released approximately every two hours, in an effort to stay ahead of AV signatures.

The campaign is ongoing.

“This recent spike in Emotet activity just goes to show that Emotet continues to be an active threat – and an increasingly worrying one due to the recent module updates,” the research team noted.

In terms of protection, since the Word documents distributed in this campaign require users to enable macros, admins should adjust Office settings to restrict or disable that option altogether.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.