# Emotet is back: botnet springs back to life with new spam campaign

**[blog.malwarebytes.com/botnets/2019/09/emotet-is-back-botnet-springs-back-to-life-with-new-spam-campaign/](https://blog.malwarebytes.com/botnets/2019/09/emotet-is-back-botnet-springs-back-to-life-with-new-spam-campaign/)**

Threat Intelligence Team September 16, 2019

[After a fairly long hiatus that lasted nearly four months, Emotet is back with an active](http://www.malwarebytes.com/emotet/) [spam](https://www.malwarebytes.com/spam/)
[distribution campaign. For a few weeks, there were signs that the botnet was setting its](https://www.malwarebytes.com/botnet)
gears in motion again, as we observed command and control (C2) server activity. But this
morning, the [Trojan started pumping out spam, a clear indication it’s ready to jump back into](https://www.malwarebytes.com/trojan/)
action.

The malicious emails started in the wee hours of Monday morning, with templates spotted in
German, [Polish, and](https://twitter.com/spamhaus/status/1173512556960452608?s=20) [Italian. Our Threat Intelligence team started seeing phishing emails](https://twitter.com/JAMESWT_MHT/status/1173602910132944896?s=20)
sent in English as well with the subject line “Payment Remittance Advice.”


-----

Figure 1: Our spam honeypot receiving Emotet emails
Note the personalization in the email subject lines. Borrowing a tactic from North Korean
[nation-state actors, Emotet’s creators are bringing back highly sophisticated spear phishing](https://blog.malwarebytes.com/glossary/spear_phishing/)
functionality introduced in April 2019, which includes hijacking old email threads and
referencing to the user by name.


-----

Figure 2: The phishing email masquerading as a statement
Victims are lured to open the attached document and enable the macro to kick-start the
infection process.


-----

Figure 3: Word document employs social engineering to convince users into running a
macro.


-----

Figure 4: Obfuscated macro code responsible for launching PowerShell
The PowerShell command triggered by the macro attempts to download Emotet from
compromised sites, often running on the WordPress content management system (CMS).

There are alternate delivery techniques as well. For example, some instances of the
malicious document rely on a downloader script instead.


-----

Figure 5: Script blocked upon macro execution
Once the download is successful and Emotet is installed on the endpoint, it begins
propagating by spreading laterally to other endpoints in the network and beyond. It also
steals credentials from installed applications and spams the user’s contact list. Perhaps the
biggest threat, though, is that Emotet serves as a delivery vector for more dangerous
[payloads, such as TrickBot and other](https://blog.malwarebytes.com/trojans/2019/09/trickbot-adds-new-trick-to-its-arsenal-tampering-with-trusted-texts/) [ransomware families.](https://blog.malwarebytes.com/ransomware/2019/08/ransomware-continues-assault-against-cities-and-businesses/)

Emotet is most notorious for collateral damage inflicted as part of a blended attack. Dubbed
the “triple threat” by many in security, Emotet partners with TrickBot and [Ryuk ransomware](https://www.malwarebytes.com/ryuk-ransomware/)
for a knockout combo that ensures maximum penetration through the network so that
valuable data may be stolen and sold for profit, while the rest is encrypted in order to extort
organizations into paying the ransom to retrieve their files and systems.

Alternatively, compromised machines can lay in a dormant state until operators decide to
hand off the job to other criminal groups that will demand large sums of money—up to US$5
[million—from their victims. In the past, we’ve seen the infamous Ryuk ransomware deployed](https://blog.malwarebytes.com/detections/ransom-ryuk/)
in this way.

While Emotet is typically focused on infecting organizations, individual consumers may also
be at risk. [Malwarebytes business customers and](http://www.malwarebytes.com/business) Malwarebytes for Windows Premium home
users are already guarded against this campaign, thanks to our signature-less anti-exploit


-----

technology. As always, we recommend users be cautious when opening emails with
attachments, even if they appear to come from acquaintances.

Figure 6: Malwarebytes Endpoint protection blocking the attack

## Protection and remediation

Users who are not Malwarebytes customers or who use the free scanner will want to take
additional steps to protect against Emotet or clean up the infection, if they’ve already been
hit. Businesses and organizations that may currently be battling an Emotet infection can
[contact Malwarebytes for immediate help. Or, for more background information on how](https://www.malwarebytes.com/business/malwareremovalservice/)
[Emotet works and a list of tips for remediation and tips view our Emotet emergency kit](https://go.malwarebytes.com/0919_RR_Global_Emotet_Emergency-Kit-NA-LP.html?utm_source=blog&utm_medium=organic&utm_campaign=rr-emotet)


-----

As this campaign is not even a day old, we don t yet know the impact on organizations and
other users. We will continue to update this post as we learn more throughout the day. In the
meantime, warn your coworkers, friends, and family to be wary of emails disguised as
[invoices or any other “phishy” instances.](https://blog.malwarebytes.com/101/2017/06/somethings-phishy-how-to-detect-phishing-attempts/)

## Indicators of Compromise (IOCs)

**Email subject lines**

Payment Remittance Advice

Numero Fattura 2019…

**Malicious Word documents**

eee144531839763b15051badbbda9daae38f60c02abaa7794a046f96a68cd10b

fb25f35c54831b3641c50c760eb94ec57481d8c8b1da98dd05ba97080d54ee6a

bee23d63404d97d2b03fbc38e4c554a55a7734d83dbd87f2bf1baf7ed2e39e3e

5d9775369ab5486b5f2d0faac423e213cee20daf5aaaaa9c8b4c3b4e66ea8224

**Hacked websites hosting the Emotet binary**

danangluxury[.]com/wp-content/uploads/KTgQsblu/

gcesab[.]com/wp-includes/customize/zUfJervuM/

autorepuestosdml[.]com/wp-content/CiloXIptI/

covergt[.]com/wordpress/geh7l30-xq85i1-558/

zhaoyouxiu[.]com/wp-includes/vxqo-84953w-5062/

rockstareats[.]com/wp-content/themes/NUOAajdJ/

inwil[.]com/wp-content/oyFhKHoe

inesmanila[.]com/cgi-bin/otxpnmxm-3okvb2-29756/

dateandoando[.]com/wp-includes/y0mcdp2zyq_lx14j2wh2-0551284557/

**Emotet binaries**

8f05aa95aa7b2146ee490c2305a2450e58ce1d1e3103e6f9019767e5568f233e
7080e1b236a19ed46ea28754916c43a7e8b68727c33cbf81b96077374f4dc205

61e0ac40dc2680aad77a71f1e6d845a37ab12aa8cd6b638d2dbcebe9195b0f6

f5af8586f0289163951adaaf7eb9726b82b05daa3bb0cc2c0ba5970f6119c77a

6076e26a123aaff20c0529ab13b2c5f11259f481e43d62659b33517060bb63c5

**Post-infection traffic (C2s)**

187[.]155[.]233[.]46

83[.]29[.]180[.]97

181[.]36[.]42[.]205

200[.]21[.]90[.]6


-----

123[.]168[.]4[.]66
151[.]80[.]142[.]33
159[.]65[.]241[.]220
109[.]104[.]79[.]48
43[.]229[.]62[.]186
72[.]47[.]248[.]48
190[.]1[.]37[.]125
46[.]29[.]183[.]211
91[.]205[.]215[.]57
178[.]79[.]163[.]131
187[.]188[.]166[.]192
181[.]188[.]149[.]134
125[.]99[.]61[.]162
77[.]245[.]101[.]134
138[.]68[.]106[.]4
187[.]242[.]204[.]142
190[.]19[.]42[.]131
213[.]120[.]104[.]180
149[.]62[.]173[.]247
181[.]48[.]174[.]242
80[.]85[.]87[.]122
183[.]82[.]97[.]25
185[.]86[.]148[.]222
90[.]69[.]208[.]50
91[.]83[.]93[.]124
183[.]87[.]87[.]73
62[.]210[.]142[.]58
186[.]83[.]133[.]253
109[.]169[.]86[.]13
179[.]62[.]18[.]56
81[.]169[.]140[.]14
187[.]144[.]227[.]2
69[.]163[.]33[.]82
88[.]250[.]223[.]190
190[.]230[.]60[.]129
37[.]59[.]1[.]74
203[.]25[.]159[.]3
79[.]143[.]182[.]254
200[.]57[.]102[.]71
217[.]199[.]175[.]216
201[.]219[.]183[.]243
196[.]6[.]112[.]70


-----

200[.]58[.]171[.]51
5[.]77[.]13[.]70
217[.]113[.]27[.]158
46[.]249[.]204[.]99
159[.]203[.]204[.]126
170[.]247[.]122[.]37
200[.]80[.]198[.]34
62[.]75[.]143[.]100
89[.]188[.]124[.]145
143[.]0[.]245[.]169
190[.]117[.]206[.]153
77[.]122[.]183[.]203
46[.]21[.]105[.]59
181[.]39[.]134[.]122
86[.]42[.]166[.]147
23[.]92[.]22[.]225

179[.]12[.]170[.]88
182[.]76[.]6[.]2
201[.]250[.]11[.]236
86[.]98[.]25[.]30
198[.]199[.]88[.]162
178[.]62[.]37[.]188
92[.]51[.]129[.]249
92[.]222[.]125[.]16
142[.]44[.]162[.]209
92[.]222[.]216[.]44
138[.]201[.]140[.]110
64[.]13[.]225[.]150
182[.]176[.]132[.]213
37[.]157[.]194[.]134
206[.]189[.]98[.]125
45[.]123[.]3[.]54
45[.]33[.]49[.]124
178[.]79[.]161[.]166
104[.]131[.]11[.]150
173[.]212[.]203[.]26
88[.]156[.]97[.]210
190[.]145[.]67[.]134
144[.]139[.]247[.]220
159[.]65[.]25[.]128
186[.]4[.]172[.]5
87[.]106[.]136[.]232


-----

189[.]209[.]217[.]49
149[.]202[.]153[.]252
78[.]24[.]219[.]147
125[.]99[.]106[.]226
95[.]128[.]43[.]213
47[.]41[.]213[.]2
37[.]208[.]39[.]59
185[.]94[.]252[.]13
212[.]71[.]234[.]16
87[.]106[.]139[.]101
188[.]166[.]253[.]46
175[.]100[.]138[.]82
85[.]104[.]59[.]244
62[.]75[.]187[.]192
91[.]205[.]215[.]66
136[.]243[.]177[.]26
190[.]186[.]203[.]55
162[.]243[.]125[.]212
91[.]83[.]93[.]103
217[.]160[.]182[.]191
94[.]205[.]247[.]10
211[.]63[.]71[.]72
41[.]220[.]119[.]246
104[.]236[.]246[.]93
117[.]197[.]124[.]36
75[.]127[.]14[.]170
31[.]12[.]67[.]62
169[.]239[.]182[.]217
179[.]32[.]19[.]219
177[.]246[.]193[.]139
31[.]172[.]240[.]91
152[.]169[.]236[.]172
201[.]212[.]57[.]109
222[.]214[.]218[.]192
87[.]230[.]19[.]21
46[.]105[.]131[.]87
182[.]176[.]106[.]43


-----