Earlier this month, the Emotet botnet, which has shown no signs of life since February 2020, returned to service with a new spam campaign. After observing the malware, cybersecurity specialists reported that the botnet had changed its main payload and is now spreading the QakBot (QBot) banking trojan, which replaced the usual TrickBot botnet. Although unknown "well-wishers" are trying to sabotage the botnet, replacing payloads with GIF files, Emotet has become one of the most active threats in recent weeks.
TOP10 last week's threats by uploads
⬆️ #Emotet 1371 (315) ☠️
⬆️ #njRAT 150 (146)
⬇️ #AgentTesla 118 (176)
⬇️ #FormBook 105 (121)
⬇️ #NanoCore 75 (84)
⬆️ #AsyncRAT 61 (49)
⬇️ #LokiBot 57 (67)
⬇️ #Qealler 55 (106)
⬆️ #Masslogger 44 (38)
⬇️ #Remcos 42 (68)https://t.co/98nRpXOxWw
– ANY.RUN (@anyrun_app) July 27, 2020
Now edition Bleeping computer, with reference to Binary Defense experts, reports that the malware has acquired new functionality: it has begun to steal contact lists, content and attachments from its victims' emails to make the sent spam look as authentic as possible for the following recipients. This information was confirmed by the well-known and information security researcher Markus Hutchins (aka MalwareTech), who notes that the module for data theft appeared at Emotet around June 13 of this year.
Can confirm Emotet's email stealer module was updated to steal email attachments, as well as email content and contact lists. The additional code was added around June 13th. pic.twitter.com/9xe3lM6qca
– MalwareTech (@MalwareTechBlog) July 28, 2020
Experts write that the new tactic allows Emotet operators to effectively use the intercepted emails and "join" users' conversations. This means that a malicious URL or attachment will end up looking like new posts in an ongoing discussion. Moreover, unlike other cybercriminals, Emotet operators use not only the "body" of the stolen messages, but also the attachments from them, the company's analysts say. Cofense…
in addition to stolen body text, emails are now including original attachment content to add even more legitimacy.
significant data breach implications, again demonstrating that emotet infections are serious https://t.co/bWbHxGWZK4
– Cryptolaemus (@ Cryptolaemus1) July 28, 2020