IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hundreds of thousands of Emotet attacks spotted daily after four-month hiatus

The botnet that refuses to die returns again and is equipped with new payloads and tactics to evade detection

Global map in black and red colour scheme denoting threat with plots in major cities to show cyber attacks being observed across the world

The cyber criminals running the Emotet botnet operation are already among the most high-volume threat actors in the current cyber security landscape after rebooting following a four-month break.

Detections of Emotet payloads dropped off in July 2022 but re-emerged in early November, according to cyber security firm Proofpoint, and the botnet is now acting as a primary facilitator for the delivery of major malware strains.

Emotet had previously returned to activity in November 2021, less than a year after a law enforcement operation shut down its original infrastructure that targeted businesses with malware for years.

The company said it has been blocking hundreds of thousands of Emotet-related emails every day, putting it among the most voluminous email threat campaigns currently in operation.

Following its historical patterns, Emotet demonstrated continued evolution in the way it operates, including a change in lures, the malware’s binary, and other malware dropped through successful campaigns.

Palo Alto Networks’ Unit 42 team discovered at the start of the month that in one single Emotet infection, both IcedID and Bumblebee malware strains were dropped onto a victim’s machine.

Proofpoint said the IcedID strain currently spreading via Emotet is a more recent version equipped with different commands and a new loader which could signal a change in ownership, or a new relationship between the criminals running IcedID and those behind Emotet.

“Emotet dropping IcedID marks Emotet as being in full functionality again, by acting as a delivery network for other malware families,” said Proofpoint in a technical analysis.

“Emotet has not demonstrated full functionality and consistent follow-on payload delivery (that’s not Cobalt Strike) since 2021, when it was observed distributing The Trick and Qbot. 

“TA542’s return coinciding with the delivery of IcedID is concerning. IcedID has previously been observed as a follow-on payload to Emotet infections. In many cases, these infections can lead to ransomware.”

Some of the capabilities of IcedID include retrieving desktop information, running processes, and system information. It can also read and exfiltrate files via command and control (C2) infrastructure.

Bumblebee malware, which often acts as a malware or ransomware loader, was discovered earlier this year and is believed to be related to the operations running TrickBot and BazarLoader. 

Related Resource

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Whitepaper cover with title and image of machine operated greenhouse with cropsFree Download

These two malware families are also thought to be affiliated with the now-shuttered Conti ransomware organisation. 

Proofpoint also established links with IcedID and Conti - leaks from the ransomware organisation’s internal chats revealed it may have been referred to as ‘Anubis’ internally.

The company went on to say that it expects Emotet to continue growing further, demonstrating more attack attempts against targets in more locations around the world.

Emotet is known for being one of the most impactful cyber criminal operations of the past few years and it took months of a coordinated effort between various international law enforcement agencies to bring it down for the first time.

It is known for continually adapting its infection techniques to exploit the latest vulnerabilities and evade detection.

Emotet was one of the first operations to evolve after Microsoft blocked VBA macros in Office documents by pivoting to the use of OneDrive URLs instead.

Microsoft’s blocking of VBA macros was widely welcomed in the cyber security industry at the time. It was introduced as a way to reduce the number of successful malicious email campaigns distributing malware.

Regardless, various workarounds have already been established with the exploitation of LNK files proving most popular in recent months. 

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Most Popular

Empowering employees to truly work anywhere

Empowering employees to truly work anywhere

22 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
The top 12 password-cracking techniques used by hackers

The top 12 password-cracking techniques used by hackers

14 Nov 2022