After finishing a heavy week of spamming, the threat actors behind the Emotet botnet have apparently taken a break. This conclusion is based on researcher observations of spambots ceasing to send out email and command and control servers responding to infected computers with HTTP error codes instead of distributing additional malware payloads. Emotet, which is thought to operate out of Russia, goes on break around this time each year, as Russians begin celebrating the holiday season. The group typically stays on break through Jan 7th at least, which is when Christmas is celebrated in Russia. Although spam production and malware distribution have temporarily ceased, infected computers, or “bots” are still “live” and will continue trying to connect to their command and control servers to request further instructions, ready to come back into full operation when the break is over.
Analyst Notes
Emotet’s break is the perfect time for defenders to detect and clean any infected hosts. In order to get ahead of Emotet before they come back, it is recommended to block the IP/hashes contained in the most recent list of indicators of compromise: https://paste.cryptolaemus.com/emotet/2019/12/22/emotet-malware-IoCs_12-20-19.html
Normally, the list of IoCs changes rapidly and is difficult to keep up with. However, since Emotet is on break, all IOCs are static for now. After blocking access to the IP addresses, defenders should identify any infected computers that are attempting to make outbound network connections to those IP addresses and remediate the computers to remove the malware.
