This article is more than 1 year old

Emotet reestablishes itself at the top of the malware world

Botnet infrastructure shut down last year, now central to a fast-spreading email scam, researchers say

More than a year after essentially being shut down, the notorious Emotet malware operation is showing a strong resurgence.

In a March threat index, Check Point researchers put the Windows software nasty at the top of its list as the most widely deployed malware, menacing or infecting as much as 10 percent of organizations around the globe during the month – a seemingly unbelievable estimate, and apparently double that of February.

Now Kaspersky Labs says a rapidly accelerating and complex spam email campaign is enticing marks with fraudulent messages designed to trick one into unpacking and installing Emotet or Qbot malware that can steal information, collect data on a compromised corporate network, and move laterally through the network and install ransomware or other trojans on networked devices.

Qbot, which is linked to the operators of Emotet, can also access and steal emails, Andrey Kovtun, email threats protection group manager for Kaspersky, wrote in a blog post this week.

The Kaspersky team said it had picked up 3,000 malicious Emotet-linked emails in February, and about 30,000 in a month later, written in such languages as English, French, Italian, Polish, Russian and Spanish.

"Some letters that cybercriminals send to the recipients contain a malicious attachment," Kovtun wrote. "In other cases, it has a link which leads to a file placed in a legitimate popular cloud-hosting service. Often, malware is contained in an encrypted archive, with the password mentioned in the e-mail body."

To increase the chances that the email recipient will open the attachment or download the malicious file through the link, the spam email often says that it contains important information, such as a commercial offer.

"Our experts have concluded that these e-mails are being distributed as part of a coordinated campaign that aims to spread banking Trojans," he wrote.

Can't keep profitable malware down

As an indication of the continuing development of Emotet by its operators, Cryptolaemus, the group of security researchers and systems administrators that came together more than two years ago to fight back against Emotet, said on Twitter this week that one of the botnet subgroups has switched from 32-bit to 64-bit for loaders and stealer modules.

The reemergence of Emotet into the top levels of the malware world happened quickly. In February 2021, Europol and police forces from such places as the US, Germany, the UK and Ukraine conducted a multinational takedown of the main botnet deploying Emotet. The operation included raids of the homes in Ukraine of the alleged operators.

Europol in a statement at the time said the raid severely disrupted Emotet's operations, which was used to "infiltrate thousands of companies and millions of computers worldwide."

However, Check Point Research this month noted in announcing its March threat index that Emotet returned in November 2021 and had gained momentum since the shutdown of the Trickbot botnet infrastructure in February. It is again the most prevalent malware.

"This was solidified even further [in March] as many aggressive email campaigns have been distributing the botnet, including various Easter-themed phishing scams exploiting the buzz of the festivities," the researchers wrote.

"These emails were sent to victims all over the world with one such example using the subject 'Buona Pasqua, happy easter,' yet attached to the email was a malicious XLS file to deliver Emotet." ®

More about


Send us news

Other stories you might like