As per our analysts’ assessment, Emotet has resumed operations after a holiday break on January 13, 2020. Emotet is a widespread threat to businesses and organizations that uses infected computers to send an email with malicious document attachments that will infect computers to deliver additional malware, including ransomware. Spamming kicked off early this morning around 8 AM EST. The threat group is heavily targeting the US and Canada with spam email containing document files with malicious macros. The Trickbot malware with a gtag of “mor74” was also dropped on all botnets infected with Emotet. The gtag value represents a particular campaign or version number of Trickbot malware. The last version observed before the holiday break was “mor70” which indicates Trickbot continued to evolve even while Emotet was not operating. Our analysts will continue tracking the infrastructure, but at this moment there are no known templates to report.
As Emotet’s behavior has not changed, our analysts recommend disabling macros by default so that recipients can choose whether a document is trustworthy enough to enable macros. Additionally, blocking all Indicators of Compromise (IOCs) included in Cryptolaemus’ daily paste will be useful in the long run. The latest IOC list can be found here: https://paste.cryptolaemus.com/emotet/2020/01/09/emotet-malware-IoCs_01-09-20.html