Emotet Returns

The infamous Emotet botnet has returned. In February 2020, the Emotet botnet, largely made up of compromised WordPress servers, ceased to send spam emails. This period of inactivity has now ended with threat intelligence sources now observing an even large number of URLs and C&C servers than before.

Emotet botnet activity resumed around 15-17 July 2020. That was when the first confirmed emails leading to Emotet infection were first observed. Emotet aims to not only steal information, but also send spam emails using stolen credentials from infected terminals and attempts to spread the malware further.

The typical Emotet infection chain:

Current Emotet documents with embedded macros (as of July 2020):

Media coverage of Emotet since its return:







JPCERT guidance on an Emotet infection:


Threat hunting sources for intelligence on Emotet activity:

The No.1 source of reliable Emotet IOCs comes from @Cryptolaemus1


The “Emotet” or “Heodo” tag on MalwareBazaar 


The Any.Run “Emotet” trend


Searching for “Emotet” on OTX Alienvault


Querying Emotet on Twitter


The Emotet operators:

CrowdStrike tracks the Emotet operators as ‘MummySpider’ alongside other high-end cybercriminal groups known as WizardSpider (the operators of the TrickBot banking Trojan), LunarSpider (operators of IcedID/BokBot banking Trojan) and DoppelSpider (the operators of DoppelDridex and the DoppelPaymer ransomware). 

MummySpider has developed the Emotet malware for several years now and has worked on it extensively, building a botnet with hundreds of thousands of devices. Since Emotet’s return, it has been observed dropping TrickBot and Qbot (aka Qakbot) as it continues to collaborate with the top-tier malware operators.

Emotet infections often lead to TrickBot being dropped, and eventually the Ryuk ransomware in some cases. However, VMware Carbon Black recently disclosed a new ransomware variant, dubbed Conti, that was observed leveraging TrickBot’s C&C infrastructure. Conti ransomware is a new and sophisticated threat that is operated manually by human adversaries with deep knowledge of network security and system administration. 

MummySpider is only just beginning this new campaign, which is showing signs of it being its largest ever. The Cryptolaemus1 team reported 589KB worth of indicators on 21 July. This paste is the largest number of samples that the researchers have reported in a single day. Amongst these IOCs were some notable owners of compromised sites: the governments of Mongolia and Albania, as well as universities from Indonesia, Nigeria, Mexico, and Vietnam.

Kevin Beaumont (@GossiTheDog on Twitter) and others also identified that something is replacing Emotet payloads with GIFs on compromised websites. It is unknown if this is a white-hat hacker enacting revenge on the Emotet botnet or the operators themselves. The GIFs themselves do not give any clues as to their author.

My previous blog titled ‘The most dangerous malware in the world: Emotet’ is available here.

Stay frosty Blue Team.


Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

Lessons from the iSOON Leaks