Emotet Returns in Malspam Attacks Dropping TrickBot, QakBot

Emotet has resurfaced after a five-month hiatus, with more than 250,000 malspam messages being sent to email recipients worldwide.

Emotet has returned after a five-month hiatus. Researchers first spotted the malware in a campaign that has spammed Microsoft Office users with hundreds of thousands of malicious emails since Friday.

The malware first emerged in 2014, but has since then evolved into a full fledged botnet that’s designed to steal account credentials and download further malware – in this most recent case, banking trojans such as TrickBot and QakBot.

After its return last week, the botnet has sent more than 250,000 messages throughout the day to email recipients in the U.S., United Kingdom, Argentina, Brazil, Canada, Chile, Ecuador and Mexico, according to reports.

“The new campaign sports longtime Emotet tactics: emails carrying links or documents w/ highly obfuscated malicious macros that run a PowerShell script to download the payload from 5 download links,” according to Microsoft Security Intelligence researchers on Twitter.

The spam emails contain either a URL or an attachment, and purport to be sending a document in reply to existing email threads – a known trick of Emotet.

emotet malware

Credit: Microsoft

One sample email, for instance, asks email recipients to open an attachment called “Form – Jul 17, 2020.doc.” Another pretended that the document was an invoice. The document attachments contain a heavily obfuscated macro and ask recipients to enable content.

Once the macro is enabled, Windows Management Instruction then launches a PowerShell to retrieve the Emotet binary from a remote compromised websites. Finally, the payload is executed and sends a confirmation back to one of Emotet’s command and control (C2) servers.

“We have so far seen several hundreds of unique attachments and links in tens of thousands of emails in this campaign,” according to Microsoft. “The download URLs typically point to compromised websites, characteristic of Emotet operations.”

While the malspam emails bear various hallmarks of Emotet campaigns, researchers have noted that malicious URLs are now being distributed in PDFs, in addition to maldocs and malicious URLs in email body, representing “a shift in Emotet payload delivery,” according to Proofpoint researchers.

“We have so far seen several hundreds of unique attachments and links in tens of thousands of emails in this campaign,” said Proofpoint researchers on Twitter. “The download URLs typically point to compromised websites, characteristic of Emotet operations.”

Researchers also report that Emotet is being used as a downloader for other malware, such as Qakbot, a worm-like strain of information-stealing malware that’s been around since 2009, and TrickBot, a popular banking trojan.

Emotet was last seen in February 2020, in a campaign that sent SMS messages purporting to be from victims’ banks. Once victims clicked on the links in the text messages, they are asked to hand over their banking credentials and download a file that infects their systems with the Emotet malware. Also in February, researchers uncovered an Emotet malware sample with the ability to spread to  insecure Wi-Fi networks that are located nearby to an infected device.

In 2019, Emotet went on a similar hiatus, disappearing over the summer before returning to drop other banking trojans, information stealers, email harvesters, self-propagation mechanisms and ransomware.

“The Emotet Trojan was by far the most visible and active threat on our radars in 2018 and 2019—right up until it went into an extended break,” said Malwarebytes researchers on Friday. “The real damage that an Emotet compromise causes happens when it forms alliances with other malware gangs and in particular threat actors interested in dropping ransomware.”

Suggested articles


  • Suraj Mundalik on

    Good one. Love to read your quick posts, saves time! Just a little thing far as I know WMI, it should be Windows Management Instrumentation (rather than Instruction). Thanks!

Leave A Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.