Typically, the Emotet botnet starts sending spam email messages with malicious attachments (MalSpam) on Monday mornings and continues that spam until Friday, taking a break over most weekends. However, this week Binary Defense analysts saw Emotet take an extended weekend break from Monday to Wednesday, presumably for development purposes. During that time, Qakbot, which was loaded by Emotet last week, used its own spam delivery system in order to distribute its malware. Emotet resumed spam today and continued to load Qakbot as they were doing prior to the short break.
As Emotet and Qakbot are both delivered through MalSpam, Binary Defense recommends employing email threat filtering systems and educating employees to use caution when opening attachments from external senders. It is best to not enable macros on suspicious-looking documents contained in emails. To help organizations block or detect suspicious network traffic, all Command and Control (C2) IP addresses found to be used by these threats are uploaded to Binary Defense’s public OTX feed. All URLs found are uploaded to URLhaus, which is a public database of malicious URLs. As all of these infections can lead to more serious issues down the line, including ransomware and PII theft, Binary Defense also recommends the use of an EDR solution with monitoring by skilled analysts 24 hours a day, which will either pick up the initial infection or will pick up the resulting reconnaissance efforts carried out by the ransomware actors to stop intrusions in the early stages.