Emotet malware Command and Control (C2) servers, after being dormant for almost three months, came back online on August 22nd and have been seen spewing spam messages across the globe. It appears that the Emotet operators prepared for the restart by cleaning out fake bots, putting together new campaigns and establishing new distribution channels (compromised websites, hacking sites, setting up web shells). A few of the compromised websites include customernoble.com – a cleaning company, taxolabs.com, www.mutlukadinlarakademisi.com – Turkish women’s blog, www.holyurbanhotel.com, keikomimura.com, charosjewellery.co.uk, think1.com, broadpeakdefense.com, lecairtravels.com, www.biyunhui.com, and nautcoins.com just to name a few. According to research, Emotet appears to have quite a strong beginning with almost 66,000 unique emails targeted. As for the origin of the malicious emails, it was found that 3,362 different senders, all by stolen credentials were used. These emails are targeting individuals, businesses and government users, and the sent emails appear to have a financial theme by sending malicious invoices to victims.
Analyst Notes
Standard zero-trust policies are a highly effective defense against malicious emails. Users, before opening attachments, should verify that the sender sent the attachment. It is also advised to have a strong anti-virus and anti-malware protection installed on the user’s system.
