In the past few weeks, the prolific malspam botnet Emotet has made a resurgence after a months-long hiatus. Emotet primarily serves as a loader for other malware, and has been known to usually deliver Trickbot. Today, Emotet dropped Qakbot, which is fairly uncommon compared to the normal Trickbot distributions. Binary Defense analysts tracking Qakbot observed distribution via direct email stop approximately four weeks ago, which indicates that the Qakbot operators may be experimenting with a new model of distribution by paying for installs on Emotet bots.
Analyst Notes
As Emotet is primarily distributed using email, Binary Defense recommends that companies implement email threat scanning and protection, while advising employees to use caution when opening documents contained in email, especially if the email is something vague like an invoice for a company that the employee has never worked with. Companies should also implement endpoint security monitoring of workstations and servers to detect and quickly respond to threats that make it past filters and watchful employees. Additionally, IP addresses for all Qakbot Command and Control (C2) servers have been added to Binary Defense’s Open Threat Exchange (OTX) channel: https://otx.alienvault.com/user/BinaryDefense/pulses.
