After adding a Wi-Fi worm module to hack wireless networks earlier this year, the operators of the Emotet malware are now using stolen attachments to help increase the authenticity of the spam emails they use to infect users’ systems.
As reported by BleepingComputer, this is the first time the botnet has used stolen attachments to add credibility to emails through the use of an attachment stealer module that was added to the malware around June 13th, according to Marcus Hutchins.
When it was first discovered all the way back in 2014, Emotet was originally a banking trojan. However, now it has evolved into a malware botnet which is used by attackers to download other malware families such as Trickbot and the QakBot trojan.
Cofense Labs also confirmed that Emotet is now leveraging stolen attachments in a post on Twitter, which reads:
“Emotet seems to be using not only stolen email bodies, but is now including stolen attachments as well. This lends to even more authenticity in their phishing emails. In one example we found 5 benign attachments and a dropper link within the templated portion of the email.”
Return of Emotet
Following more than five months of inactivity, Emotet resumed its operations on July 17 and since then, the botnet has been sending out malicious spam emails disguised as payment reports, invoices, job opportunities and shipping information through all of its server clusters.
Since its return, the malware has been used to install TrickBot on Windows systems and spread the QakBot malware which replaced its initial TrickBot payloads. Government agencies around the world have also started warning businesses and consumers about the dangers Emotet poses with both the Australian Cyber Security Centre (ACSC) and the Cybersecurity and Infrastructure Security Agency (CISA) both issuing separate warnings about the malware.
Using stolen attachments to make its malicious emails appear more legitimate is certainly a clever tactic and email security solutions will likely have a harder time distinguishing between real emails and spam emails using legitimate attachments as a disguise.
Now that Emotet has once again updated its tactics to better avoid detection and attack more users, organizations and individuals should be extra cautious when checking their email and avoid opening any attachments from unknown senders.