Update: Emotet Botnet Delivering Qbot Banking TrojanMalware Spreading Via Malicious Emails
The Emotet botnet, which recently surged back to life after a months-long hiatus, is now delivering the Qbot banking Trojan to victims' devices, security researchers say.
Since researchers first spotted a resurgent Emotet on Friday, more than 800,000 malicious spam emails have been detected attempting to deliver the malware to victims' devices and increasing the size of the botnet, according to the security firm Proofpoint. In most cases, the emails contained malicious Microsoft Word attachments or URL links that enable macros that help install malware.
The malspam campaign that is spreading the Emotet botnet has been spotted in the U.S., U.K., Canada, Austria, Germany, Brazil, Italy and Spain, says Sherrod DeGrippo, senior director of threat research and detection at Proofpoint.
"As in previous Emotet campaigns, the payload is delivered either through a malicious attachment, a URL in the email body, or an attachment with a link to the malicious download," DeGrippo tells Information Security Media Group. "The email lures are short and often in the language of the intended recipient, though they are otherwise not customized."
Emotet and Qbot
While security researchers and the U.S. Cybersecurity and Infrastructure Security Agency consider Emotet one of the most dangerous malware strains now in use, an even greater threat from the botnet is its ability to deliver other malicious code, security researchers say.
While Emotet has previously been associated with malware such as TrickBot and various ransomware strains, this latest campaign appears designed to deliver a banking Trojan known as Qbot or Qakbot, according to Cryptolaemus, a group of security researchers who track and attempt to disrupt the botnet.
#Emotet Update - We are detecting #QBot being dropped by Emotet infections on all epochs instead of #Trickbot gtag Mor today. @Intel471Inc identified the campaign_id on this QBot as "partner01" which is interesting because in the past we have seen the hhh series. More Later.— Cryptolaemus (@Cryptolaemus1) July 21, 2020
Proofpoint has also seen evidence of Emotet attempting to deliver Qbot. "Given the highly versatile nature of this threat, we may see additional changes as more messages are distributed," DeGrippo says.
The Emotet botnet comprises separate subgroups or "epochs" that each have their own command-and-control infrastructure and can deliver malware. In this latest campaign, researchers with Cryptolaemus, as well as security firm Intel 471, found that several Emotet epochs were attempting to deliver Qbot.
Qbot, which has been active since 2008, is primarily designed to steal the data and credentials of banking customers. In June, researchers with F5 Labs uncovered a Qbot campaign that targeted customers of several large financial institutions, including JPMorgan Chase, Citibank, Bank of America, Citizens, Capital One and Wells Fargo among others (see: Researchers: Qbot Banking Trojan Making a Comeback).
In 2014, Proofpoint found that Qbot was able to compromise about 800,000 banking credentials during a single campaign (see: Hackers Grab 800,000 Banking Credentials).
Emotet first appeared as a banking Trojan in 2014. Over the years, its operators have adjusted its code, and it now primarily works as a botnet delivering other malware to infected devices, according to security researchers.
Emotet frequently re-emerges after periods of inactivity. This happened again on Friday, when it appeared for the first time since February.
After a previous four-month absence, Emotet came back to life in September 2019 and continued sending out malicious spam and phishing emails until it went quiet again in February (see: Researchers: Emotet Botnet Is Active Again).
Managing Editor Scott Ferguson contributed to this report.