Security experts from Check Point Research have observed a sharp increase in Emotet botnet activity used to spread spam campaigns and steal banking credentials.
After a long period of inactivity, Check Point warned that in July 2020, “Emotet has surged back to 1st place in the Index, impacting 5% of organizations globally.”
As part of malspam campaigns, Emotet infected its victims with TrickBot or Qbot malware.
According to Check Point, the phishing emails contained malicious documents (e.g., form.doc, invoice.doc).
Once the victim opened up the file, the doc would then launch a PowerShell script that downloaded the Emotet payload from remote websites. The victim’s computer in turn would get infected and then get added to the botnet.
Historically, TrickBot has been used to steal banking credentials. As recently as June, however, experts discovered the trojan also added a new module “nworm” that can exploit vulnerable domain controllers (DCs) and evade detection by running in memory.