On 17 July, Proofpoint’s threat research team observed a malicious spam (malspam) campaign featuring the return of the Emotet malware after a five-month hiatus. This was a sizable campaign that included nearly a quarter-million malspam messages.1
While the scope of this campaign differs from our previous report on Emotet,2 the tactics and techniques it uses are largely the same. Threat actors use Emotet to steal stored passwords, sensitive banking data, and browser histories from victims’ computers.
The email lures observed in this campaign are simple in nature and are similar to lures that Emotet has previously used. The subject lines are largely generic terms like “Re:” or “Invoice#” followed by a series of numbers, but some also include the names of targeted organizations. Message bodies are generic and reference an attachment that the user must open. The attachments are Microsoft Office documents (e.g. Word or Excel) with filenames themed after common business documents like payroll and resumes.
When the user opens the attached document, they are directed to enable macros. Once the user enables macros, the macros execute a Powershell (powershell.exe) command that attempts to download the Emotet payload (WFSR.exe) from one of five Base64-encoded domain names embedded in the command. If this download is successful then the Powershell command proceeds to execute the Emotet payload.
Upon execution, Emotet attempts to steal sensitive information from the victim and exfiltrate this data to one of its command and control (C2) servers. After stealing the victim’s information Emotet will typically attempt to install additional malware, but it is currently unclear what additional payloads this particular campaign may be delivering.
Infoblox’s full report on this instance of the malware will be available soon on our Threat Intelligence Reports page.