# Emotet launches major new spam campaign **[welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/](https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/)** The recent spike in Emotet activity shows that it remains an active threat [ESET Research](https://www.welivesecurity.com/author/esetresearch/) 9 Nov 2018 - 03:11PM The recent spike in Emotet activity shows that it remains an active threat November 9, 2018 ----- [A week after adding a new email content harvesting module, and following a period of low](https://blog.kryptoslogic.com/malware/2018/10/31/emotet-email-theft.html) activity, the malicious actors behind Emotet have launched a new, large-scale spam campaign. ## What is Emotet? Emotet is a banking Trojan family notorious for its modular architecture, persistence techniques, and worm-like self-propagation. It is distributed through spam campaigns employing a variety of seemingly legitimate guises for their malicious attachments. The Trojan is often used as a downloader or dropper for potentially more-damaging, secondary payloads. Due to its high destructive potential, Emotet was the subject of a US-CERT [security notice in July 2018.](https://www.us-cert.gov/ncas/alerts/TA18-201A) ## The new campaign According to our telemetry, the latest Emotet activity was launched on November 5, 2018, following a period of low activity. Figure 1 shows a spike in the Emotet detection rate in the beginning of November 2018, as seen in our telemetry data. Figure 1 – Overview of ESET product detections of Emotet in the past two weeks Breaking those detections down by country, as seen in Figure 2, this latest Emotet campaign appears to be most active the Americas, the UK, Turkey and South Africa. ----- Figure 2 – Distribution of ESET detections of Emotet in November 2018 (including both file and network detections) In the November 2018 campaign, Emotet makes use of malicious Word and PDF attachments posing as invoices, payment notifications, bank account alerts, etc., seemingly coming from legitimate organizations. Alternately, the emails contain malicious links instead of attachments. The email subjects used in the campaign suggest a targeting of English and German-speaking users. Figure 3 shows Emotet activity in November 2018 from the perspective of document detections. Figures 4, 5 and 6 are example emails and attachments from this campaign. Figure 3 – Distribution of ESET detections of Emotet-related documents in November 2018 ----- Figure 4 – Example of a spam email used in the latest Emotet campaign ----- Figure 5 – Example of a malicious Word document used in the latest Emotet campaign Figure 6 – Example of a malicious PDF used in the latest Emotet campaign The compromise scenario in this November 2018 campaign starts with the victim opening a malicious Word or PDF file attached to a spam email seemingly coming from a legitimate and familiar organization. ----- Following the instructions in the document, the victim enables macros in Word or clicks on the link in the PDF. The Emotet payload is subsequently installed and launched, establishes persistence on the computer and reports the successful compromise to its C&C server. In turn, it receives instructions on which attack modules and secondary payloads to download. The modules extend the initial payload’s functionality with one or more of credentialstealing, network propagation, sensitive information harvesting, port forwarding, and other capabilities. As for the secondary payloads, this campaign has seen Emotet dropping TrickBot and IcedId on compromised machines. ## Conclusion This recent spike in Emotet activity just goes to show that Emotet continues to be an active threat – and an increasingly worrying one due to the recent module updates. ESET systems detect and block all Emotet components under detection names listed in the IoCs section. ## Indicators of Compromise (IoCs) ### Example hashes Note that new builds of Emotet binaries are released approximately every two hours, so hashes may not be the latest available. **Emotet** **SHA-1** **ESET detection name** 51AAA2F3D967E80F4C0D8A86D39BF16FED626AEF Win32/Kryptik.GMLY trojan EA51627AF1F08D231D7939DC4BA0963ED4C6025F Win32/Kryptik.GMLY trojan 3438C75C989E83F23AFE6B19EF7BEF0F46A007CF Win32/Kryptik.GJXG trojan 00D5682C1A67DA31929E80F57CA26660FDEEF0AF Win32/Kryptik.GMLC trojan **Modules** **SHA-1** **ESET detection name** 0E853B468E6CE173839C76796F140FB42555F46B Win32/Kryptik.GMFS trojan 191DD70BBFF84D600142BA32C511D5B76BF7E351 Win32/Emotet.AW trojan BACF1A0AD9EA9843105052A87BFA03E0548D2CDD Win32/Kryptik.GMFS trojan ----- **SHA-1** **ESET detection name** A560E7FF75DC25C853BB6BB286D8353FE575E8ED Win32/Kryptik.GMFS trojan 12150DEE07E7401E0707ABC13DB0E74914699AB4 Win32/Kryptik.GMFS trojan E711010E087885001B6755FF5E4DF1E4B9B46508 Win32/Agent.TFO trojan **Secondary payloads** TrickBot **SHA-1** **ESET detection name** B84BDB8F039B0AD9AE07E1632F72A6A5E86F37A1 Win32/Kryptik.GMKM trojan 9E111A643BACA9E2D654EEF9868D1F5A3F9AF767 Win32/Kryptik.GMKM trojan IcedId **SHA-1** **ESET detection name** 0618F522A7F4FE9E7FADCD4FBBECF36E045E22E3 Win32/Kryptik.GMLM trojan ## C&C servers (active as of November 9, 2018) 187.163.174[.]149:8080 70.60.50[.]60:8080 207.255.59[.]231:443 50.21.147[.]8:8090 118.69.186[.]155:8080 216.176.21[.]143:80 5.32.65[.]50:8080 96.246.206[.]16:80 187.163.49[.]123:8090 187.207.72[.]201:443 210.2.86[.]72:8080 ----- 37.120.175[.]15:80 77.44.98[.]67:8080 49.212.135[.]76:443 216.251.1[.]1:80 189.130.50[.]85:80 159.65.76[.]245:443 192.155.90[.]90:7080 210.2.86[.]94:8080 198.199.185[.]25:443 23.254.203[.]51:8080 67.237.41[.]34:8443 148.69.94[.]166:50000 107.10.139[.]119:443 186.15.60[.]167:443 133.242.208[.]183:8080 181.229.155[.]11:80 69.198.17[.]20:8080 5.9.128[.]163:8080 104.5.49[.]54:8443 139.59.242[.]76:8080 181.27.126[.]228:990 165.227.213[.]173:8080 9 Nov 2018 - 03:11PM ### Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center ----- ### Newsletter Discussion -----