King of ransomware is active again
Since the beginning of 2021, it had become quiet after the destruction of the infrastructure by authorities. Since last weekend, the king of ransomware has been active again and is being discovered in more and more IT systems. After becoming famous as a banking Trojan, Emotet has developed in recent years as an access broker that gave different ransomware groups access to the victims’ systems.
The security researchers at Zscaler have also observed the distribution of Emotet malware via spam email campaigns. Initial analyses show that the new version of the Emotet malware is similar to its previous variants in many aspects. However, some changes were also noticed, for example in the Command &Control (C&C) data and the encryption used. Emotet also seems to use HTTPS instead of plain HTTP for C&C communication action to avoid early detection. It looks like most of the features are the same as those of previous variants.
So the king of malware is once again trying to continue his mischief exactly where he was active before the break-up: the goal remains to give ransomware groups initial access to the IT systems of companies and thus a successful malware actor appears again on the scene to reignite the ransomware activities.
As can be seen from the attached screenshot of a spam e-mail, Emotet first uses a reply chain strategy in its spam campaigns. MS-Word documents are used as attachments “.docm”, MS-Excel “.xlsm” and password protected “.zip” files are used.
Zscaler detects the initial infection in the cloud sandbox. Further analyses will follow and will be published on the Zscaler blog on an ongoing basis.