Proofpoint warns of Emotet's return

Cyber-attack based on real stolen emails


After a brief pause in distribution, since October 2020, Emotet has once again gained prominence with a campaign of more than 100,000 messages in Spanish, English, German, Italian and Chinese aimed at different industries, such as manufacturing, technology and energy.

"It's remarkable that Emotet is back in business now, just a few days before Christmas, as they usually cease operations from 24 December until the beginning of January, so on this occasion the campaign could be incredibly short and unusual for them", says Sherrod DeGrippo, Senior Director of Proofpoint's Research and Detection Team.

In terms of volume of activity, hundreds of thousands of Emotet samples are usually detected every day during campaigns, and the figures recorded in their reappearance this week point in that direction. Proofpoint's initial analysis of this new campaign has revealed that the threat code has changed little, but the company is still investigating the extent to which it has been updated. Code changes are common after a significant downtime, and often indicate that the group of authors behind the threat remain active during downtimes to improve their infrastructure.

If we focus on the hooks that Emotet are using in their return campaign, we see that the main one is conversation hijacking, which means that every email is made up of a stolen real mail.

Although Emotet has historically had a module for stealing emails from other victims, it's hard to say that this is where they originated, as the Proofpoint team has found that the stolen emails have been used by different perpetrators over time.

"Emotet is known as one of the most disruptive threats in the world, and its return at a time when it is usually not active is very striking. As it has always been a first step for the deployment of other banking Trojans, it is critical that organisations are aware of its return," concludes DeGrippo.

From a campaign mitigation standpoint, Proofpoint recommends that organizations use a secure mail gateway, incorporating effective anti-malware software, to ensure that these types of threats do not reach their users' inboxes. Additionally, it is crucial to implement a strong cyber security education program that reinforces awareness of the risks posed by links and attachments in these types of messages.