Emotet botnet returns after a five-month absence

2019's most active malware botnet returns to life with new spam campaign after it previously went dark on February 7, 2020.
Written by Catalin Cimpanu, Contributor

Emotet, 2019's most active cybercrime operation and malware botnet, has returned to life today with new attacks, ZDNet has learned.

Prior to today's attacks, Emotet stopped all activity on February 7, Sherrod DeGrippo, Senior Director Threat Research at Proofpoint, told ZDNet in an email today.

The botnet, which runs from three separate server clusters -- known as Epoch 1, Epoch 2, and Epoch 3 -- is spewing out spam emails and trying to infect new users with its malware payload.

"Today's campaign so far has recipients primarily in the US and UK with the lure being sent in English," DeGrippo said.

"The emails contain either a Word attachment or URLs linking to the download of a Word document that contains malicious macros which, if enabled by the users, will download and install Emotet.

"The campaign is ongoing and has reached around 250,000 messages so far today," DeGrippo added.


Sample Emotet spam email message

Image: Spamhaus

Cryptolaemus, a group of security researchers dedicated to detecting and tracking Emotet, have also confirmed Emotet's comeback, along with other cyber-security firms such as CSIS, Microsoft, Malwarebytes, Abuse.ch, and Spamhaus.

The news of Emotet's return is one that nobody in the cyber-security industry is likely to enjoy. Before going dark in February, Emotet was, by far, the largest, most active, and sophisticated cybercrime operation.

The Emotet gang operates an email spam infrastructure that it uses to infect end-users with the Emotet trojan. It then uses this initial foothold to deploy other malware, either for its own interest (such as deploying a banking trojan module) or for other cybercrime groups who rent access to infected hosts (such as ransomware gangs, other malware operators such as Trickbot, etc.).

Due to its close ties to ransomware gangs, in some countries such as Germany or the Netherlands, Emotet is treated with the same level of urgency as a ransomware attack. Companies and organizations that find an Emotet-infected host are told to isolate the infected system and take their entire network offline as they investigate, a measure necessary to prevent the delivery of a ransomware payload in the meantime.

This is the second major break that Emotet has taken in the past two years. It previously ceased all operations between May and September last year, as well.

The most dangerous iOS, Android malware and smartphone vulnerabilities of 2019

Editorial standards