The Emotet botnet is back from a four-month vacation with a new spam campaign that began early on September 16.
The initial burst of emails mainly targeted German, Polish, and Italian speakers with a sprinkling of English folks also receiving the emails with a subject line containing the phrase “payment remittance advice,” the Malwarebytes Threat Intelligence Team reported. Each contained a malicious attachment with a note saying it was a statement and requesting paying as soon as possible.
Those that click the attachment were presented with a supposed warning from Microsoft that their Office account expires in a few days unless they click the Enable Editing button.
At this time Emotet is downloaded from a compromised site, most often one that is running the WordPress content management system, Malwarebytes said. Once downloaded the trojan begins stealing passwords and attempts to spread laterally throughout the system. It also acts as a platform for additional malware, such as ransomware, to be downloaded.
“Compromised machines can lay in a dormant state until operators decide to hand off the job to other criminal groups that will attempt to extort large sums of money from their victims. In the past, we’ve seen the infamous Ryuk ransomware being deployed that way,” Malwarebytes reported.
Researchers said that since the re-emergence of Emotet just took place they know little about which organizations have been hit or how many emails have been sent.