{
	"id": "bbc3caea-7916-42ef-9815-d06f7d735386",
	"created_at": "2026-04-06T00:18:01.036483Z",
	"updated_at": "2026-04-10T13:11:30.982135Z",
	"deleted_at": null,
	"sha1_hash": "04cb114b2e41438c39f43f609e345964e9581a1c",
	"title": "EMOTET Returns, Starts Spreading via Spam Botnet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 69613,
	"plain_text": "EMOTET Returns, Starts Spreading via Spam Botnet\r\nBy Don Ovid Ladores ( words)\r\nPublished: 2017-09-07 · Archived: 2026-04-05 23:08:10 UTC\r\nWe first detected the banking malware EMOTET back in 2014, we looked into the banking malware’s routines\r\nand behaviors and took note of its information stealing abilities via network sniffing. In August, we found\r\nincreased activity coming from new variants (Detected by Trend Micro as TSPY_EMOTET.AUSJLA,\r\nTSPY_EMOTET.SMD3, TSPY_EMOTET.AUSJKW, TSPY_EMOTET.AUSJKV) that have the potential to\r\nunleash different types of payloads in the affected system. \r\nA Resurgent Malware\r\nWhile the motivation behind EMOTET—information theft—remain the same, the reason as to why the malware\r\nresurfaced could be mainly attributed to two main possible reasons.\r\nFirst, the authors behind this attack may be targeting new regions and industries.\r\nWhile the earlier variants of EMOTET primarily targeted the banking sector, our Smart Protection Network (SPN)\r\ndata reveals that this time, the malware isn’t being picky about the industries it chooses to attack. The affected\r\ncompanies come from different industries, including manufacturing, food and beverage, and healthcare. Again, it\r\nis possible that due to the nature of its distribution, EMOTET now has a wider scope.\r\nThe United States, United Kingdom, and Canada made up the bulk of the target regions, with the US taking up\r\n58% of all our detected infections, while Great Britain and Canada were at 12% and 8% respectively.\r\nintel\r\nFigure 1: Regional Distribution of the EMOTET attacks from June 6 to September 6, 2017\r\nSecond, these new variants use multiple ways to spread. Its primary propagation method involves the use of a\r\nspam botnet, which results in its rapid distribution via email. EMOTET can also spread via a network propagation\r\nmodule that brute forces its way into an account domain using a dictionary attack. EMOTET’s use of\r\ncompromised URLs as C\u0026C servers likely helped it spread as well.\r\nThe element of surprise could also have played a role in its effectiveness: due to its recent inactivity, EMOTET’s\r\nresurgence managed to catch its targets off-guard, making the attacks, new capabilities, and distribution more\r\neffective.\r\nFor a malware with email-spamming and lateral-movement capabilities, infecting business systems and acquiring\r\ncorporate e-mails translates to larger and more effective spam targeting and a higher chance of gaining\r\ninformation.\r\nintel\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/\r\nPage 1 of 3\n\nFigure 2: EMOTET Infection Diagram for the recent wave of attacks\r\nArrival and Installation\r\nThe new EMOTET variants initially arrive as spam claiming to be an invoice or payment notification to trick its\r\nvictims into believing that this is a legitimate email from a supplier.\r\nintel\r\nFigure 3: Sample spam email\r\nIn the body of this email is a malicious URL that will download a document containing a malicious macro when a\r\nuser clicks on it. This macro will then execute a PowerShell command line that is responsible for downloading\r\nEMOTET.\r\nHere are some of the sample URLs we discovered:\r\nOnce downloaded, EMOTET drops and executes copies of itself into the following folders:\r\nThe malware will attempt to ease its entry into the system by deleting the Zone Identifier Alternate Data Stream\r\n(ADS), which is a string of information that describes the Internet Explorer Trust Settings of the file's download\r\nsource. This is one way for the system to find out if a downloaded file is from a high-risk source, blocking the\r\ndownload if it is detected as such.\r\nEMOTET will then register itself as a system service and adds registry entries to ensure that it is automatically\r\nexecuted at every system startup. The typical windows service acts as a “controller” for most hardware-based\r\napplications, while others are used to control other applications. The EMOTET malware, on the other hand, uses it\r\nfor both Elevation of Privilege, and as an autostart mechanism.\r\nRoutines\r\nEMOTET will list the system’s currently running processes and then proceed to gather information on both the\r\nsystem itself and the operating system used.\r\nIt will then connect to the Command \u0026 Control (C\u0026C) servers to update to its latest version, as well as to\r\ndetermine the type of payload that it will deliver. One of the possible payloads is the persistent banking trojan\r\nknown as DRIDEX, which attempts to harvest banking account information via browser monitoring routines.\r\nFurthermore, the malware can also turn the infected system into part of a botnet that sends spam emails intended\r\nto spread the malware even further. This allows the trojan to spread quickly, as the more systems it can potentially\r\ninfect, the faster it will propagate. The malware is also capable of harvesting email information and stealing\r\nusername and password information found in installed browsers.\r\nWe discovered that in addition to the above payloads, the C\u0026C server is responsible for sending modules that will\r\nperform the following routines, which includes:\r\nFrom our recent samples of EMOTET malware, we have observed that it has become a Loader Trojan that\r\ndecrypts and loads any binary coming from its Command \u0026 Control (C\u0026C) server.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/\r\nPage 2 of 3\n\nTrend Micro Solutions\r\nAddressing threats such as EMOTET need a multilayered and proactive approach to security—from\r\nthe gatewayproducts, endpointsproducts, networksproducts, and serversproducts. Trend Micro endpoint solutions\r\nsuch as Trend Micro™ Smart Protection Suitesproducts and Worry-Free™ Business Securityworry free services\r\nsuites can protect users and businesses from these threats by detecting malicious files, and spammed messages as\r\nwell as blocking all related malicious URLs. Trend Micro Deep Discovery™products has an email inspection\r\nlayer that can protect enterprises by detecting malicious attachment and URLs.\r\nTrend Micro™ Hosted Email Securityproducts is a no-maintenance cloud solution that delivers continuously\r\nupdated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they\r\nreach the network. It protects Microsoft Exchange, Microsoft Office 365products, Google Apps, and other hosted\r\nand on-premises email solutions.\r\nTrend Micro™ OfficeScan™products with XGen™ endpoint security infuses high-fidelity machine learning with\r\nother detection technologies and global threat intelligence for comprehensive protection against advanced\r\nmalware. \r\n The list of SHA256 is in this appendixopen on a new tab.\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/"
	],
	"report_names": [
		"emotet-returns-starts-spreading-via-spam-botnet"
	],
	"threat_actors": [],
	"ts_created_at": 1775434681,
	"ts_updated_at": 1775826690,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/04cb114b2e41438c39f43f609e345964e9581a1c.pdf",
		"text": "https://archive.orkl.eu/04cb114b2e41438c39f43f609e345964e9581a1c.txt",
		"img": "https://archive.orkl.eu/04cb114b2e41438c39f43f609e345964e9581a1c.jpg"
	}
}