Emotet botnet went down around the beginning of June this year. However, the command and control server of Emotet has started working again by targeting systems and networks around the globe with spams.
Emails with Emotet’s signature were found on 16th of September 2019 targeting Germany, the UK, Poland, Italy, and the USA. The targets selected by Emotet include both individuals and organizations. The researchers have found that Emotet C2 servers started to respond to requests around August 22, 2019.
The distribution channel selected by Emotet are below mentioned websites:
- customernoble.com – a cleaning company
- taxolabs.com
- www.mutlukadinlarakademisi.com – Turkish women’s blog
- www.holyurbanhotel.com
- keikomimura.com
- charosjewellery.co.uk
- think1.com
- broadpeakdefense.com
- lecairtravels.com
- www.biyunhui.com
- nautcoins.com
Emotet is now targeting 66,000 emails from more than 30,000 domain names and 385 top-level domains(TLD). All the emails circulated contain a message that looks like continuation from a past finance related conversation which makes the users to look into the matter more closely. Some emails were found containing a word document with malicious macro codes while some others were detected with macros running PowerShell command that contains URLs of several hacked websites to get payloads.
This resurrection of Emotet botnet is alarming and might cause huge damages. Emotet can be used for launching future lethal attacks which will cause a peril around the globe.
Use NPAV Z-Security for complete protection.