Attached to Emotet

As reported in the Security & Resilience Update on July 21, Emotet has arisen after its nearly six month snooze. At first it did not seem to be exhibiting any discernable new behavior as is typical for an Emotet awakening. But after more in-depth analysis researchers have since identified a new module designed to steal attachments. This attachment stealing module is another arrow in Emotet’s quiver to appear authentic to its victims. According to Cryptolaemus, a group that tracks Emotet, the malware now steals 131072 byte or smaller attachments with email contents, later to be used as part of reply chains. Similar to its previous campaigns, Emotet has been distributing emails disguised as payment reports, invoices, employment opportunities, and shipping information.

On an admirable note, an avenger has been exasperating Emotet, turning some of its distribution sites into a bit of an ‘e-meme-tet’ by replacing malicious payloads with memes and GIFs. Despite Emotet’s enduring inner-workings, malware researcher Kevin Beaumont noted in December 2019 how Emotet’s infrastructure is rather insecure, including right down to password reuse – it seems threat actors suffer from similar perpetual password pitfalls as everyone else. This lingering password deficiency is a plausible reason for the recent vigilante justice. And while this has put a crimp in its action, it is not likely to be Emotet’s endgame. Read more about Emotet’s new attachment stealing module at BleepingComputer