Following five months of inactivity, the Emotet malware has returned according to security researchers from Proofpoint who have observed its comeback in the wild.

First discovered back in 2014, Emotet was originally used to commit banking fraud and for years the malware was widely classified as a banking Trojan. However, later versions of the malware stopped loading their own banking module and began using third-party banking malware instead.

In May of last year, Proofpoint researchers observed Emotet delivering third-party payloads including Qbot, The Trick, IcedID and Gootkit. The malware also now loads modules for spamming, credential stealing, email harvesting and spreading via local networks.

Return of Emotet

Proofpoint researchers have observed almost a quarter of a million Emotet messages sent on July 17 and unfortunately this number continues to grow.

TA542 is the threat actor responsible for sending these messages and it appears the group is targeting multiple verticals in the US and UK with English language lures. The messages it has sent out contain malicious Microsoft Word attachments or URLs that link to Word documents and many of these URLs often point to compromised WordPress hosts.

These lures are similar to those sent out in January of this year and they are simple with minimal customization. The messages have subject lines like”RE:” or “Invoice #” followed by a fake invoice number and often include the name of the organization being targeted as well.

Just as other malicious attachments do, the ones sent in TA542’s messages request that users enable macros. Once this done though, the Emotet malware is downloaded and installed on the targeted user or organization’s systems. The malware then downloads and installs additional modules which it uses to steal credentials, harvest emails and spread across local networks.

Now that Emotet has reared its ugly head once again, organizations and individuals should be extra cautious when checking their email and avoid opening any attachments from unknown senders.

Source Article