The Emotet malware is back after five months of inactivity, according to Proofpoint security researchers, who have observed its return to the wild. First discovered in 2014, Emotet was originally used to commit bank fraud and for years the malware has been widely classified as a banking Trojan. However, later versions of the malware stopped loading their own banking module and started using third-party banking malware. In May of last year, Proofpoint researchers observed that Emotet was serving payloads from third parties, including Qbot, The Trick, IcedID, and Gootkit. The malware now also loads modules for spam, credential theft, email collection and distribution over local networks.
Return of Emotet
Proofpoint researchers looked at nearly a quarter of a million Emotet messages sent on July 17, and sadly that number continues to rise. TA542 is the threat actor responsible for sending these messages and it appears that the group is targeting various verticals in the US and UK with English-language lures. The messages you sent contain malicious Microsoft Word attachments or URLs pointing to Word documents, and many of these URLs often point to compromised WordPress hosts. These lures are similar to those shipped in January of this year and are straightforward with minimal customization. The messages have subject lines like "RE:" or "Invoice #" followed by a fake invoice number and often include the name of the recipient organization. Like other malicious attachments, those sent in TA542 messages ask users to enable macros. Once this is done, the Emotet malware is downloaded and installed on the systems of the target user or organization. The malware downloads and then installs additional modules that it uses to steal credentials, harvest emails, and distribute them over local networks. Now that Emotet has reared its ugly head again, organizations and individuals need to be very careful when checking their emails and avoid opening attachments from unknown senders.