In late January 2021, news outlets across the globe published reports about the downfall of what many called the most disruptive botnet of recent history: EMOTET. Not unlike Imhotep the mummy, who had similar sinister goals of domination and colorful phonetics, EMOTET is rising from the grave.
Two distinct actions make EMOTET so nasty. The first is its ability to use email as an attack vector and send malware-infected attachments that present as invoices, shipping notices, and other announcements via Microsoft Word and Excel documents, and ZIP file archives that are password protected. Secondly, because of its efficiency, EMOTET is also offered as a Malware as a Service, or MaaS, platform for other cybercriminals to install and use to distribute ransomware, backing trojans, and other malicious malware onto a victim’s computer.
Starting on Nov. 15, by the light of a near full moon, we started seeing signs that EMOTET was rising from the grave. SANS Internet Storm Center started analyzing reports of malware spam infections that appeared to be EMOTET.
Chain of events for EMOTET infection from isc.sans.edu
Once infected, EMOTET hosts begin to communicate back to the command and control servers. A list of these hosts is being managed by Feodo Tracker. Digital Silence highly recommends Feodo Tracker as a starting point to block these known bad hosts at your firewalls and within your email filters.
In addition to filtering for known bad hosts, Digital Silence highly recommends that you implement a combination of endpoint security, such as Managed EDR, or MDR, and end-user education to reduce your overall risk.
Digital Silence continues to monitor the EMOTET and other malware risks through Virtual CISO Services, Post Breach Incident Response, and Penetration Testing Services.