Emotet Attempts To Sell Access After Infiltrating High Value Networks

The notorious trojan Emotet re-emerged this week after a three-month hiatus with a specific goal: send malicious emails to infiltrate high-value corporate networks and then try to sell that access to ransomware groups.

Instead of just sending malicious Excel files, Emotet is now sending malware in Word files with macros that, if enabled, could start the infection chain and execute the Emotet.dll.

Deep Instinct’s Threat Research team on Friday reported that the first page of the malicious email contains an image that tries to lure the receiver to enable macros. The Deep Instinct team observed malicious emails sent to companies around the globe, including in Japan, an image of which they posted on March 10.

Initially conceived as a banking trojan in 2014, Emotet evolved into an all-purpose loader two years later. While the botnet had its infrastructure dismantled in January 2021, it has been resurrected through the help of the TrickBot malware by the mostly defunct Conti group. In security circles, Emotet gets tracked at Mummy Spider, or TA542.

Simon Kenin, a security researcher at Deep Instinct, explained that over the years, Emotet shifted to being a botnet of infected computers that will load any other malware the operator decides on, and that’s why the malicious spam now gets sent to corporate email addresses and not individuals at homes.

“When the operator of the botnet sees a high value target infected, he can sell access to a ransomware group, which will have initial access and try

Read more

Explore the site

More from the blog

Latest News