Cybersecurity solutions firm Sophos discovered that Emotet, the ubiquitous botnet that arrives in the guise of any of a thousand different bogus email messages, never really went away when it suddenly stopped appearing in internal records and feeds of spam emails in February.
The sudden disappearance of the malware gave rise to a lot of rumors that the creators had been arrested, or contracted COVID-19, or simply had retired and planned to live the good life on the Black Sea coast. But these theories were squashed on July 17th, when Sophos saw a new wave of Emotet attacks swing back into action.
“We’ve talked a lot about Emotet in the past, including showing its malware ecosystem, and providing a series of deep-dive 101s, not forgetting showing the authors venting their frustration at Sophos. But then in February 2020, Emotet ceased production – its botnets stopped the activity, and the waves of spam campaigns went silent. This isn’t the first time it’s vanished off the radar, only to rise again months later – and that’s exactly what we saw again last Friday,” said Richard Cohen, senior threat researcher and manager of the Abingdon, UK detection team.
Unfortunately, Emotet is not merely a tool for thievery, but the botnet acts as a delivery mechanism for other malware, walking it through the firewall over the encrypted channels it creates, bypassing network-based defenses.
As a result, Sophos investigated many cases in which a large-scale ransomware infection began as the result of this simple but effective Trojan lying undetected for a period of time before the infected computer was used as a staging area for a larger attack against the company or organization on whose network it insinuated itself.
The Emotet gang has not changed their same, fundamental playbook they’ve followed for years. If you receive an email from an unknown source, or unexpectedly from a known source, with a Microsoft Office file attached, be extremely careful about opening it. In a related vein, if you receive an email that tells you to download such a file attachment in order to receive some sort of invoice or statement, be extremely suspicious.