[German]The cyber criminals behind the Emotet-Ransomware have re-activated their C&C servers and there will probably be new campaigns with successful infections soon.
German CERT-Bund warns against Emotet
During the last weeks this summer it was quiet coverring Emotet Trojan/Ransomware infections. The last news I remember mind were the Emotet infection at German publisher heise in May 2019 and a warning from German BSI in April this year. On early June 2019 the Emotet C&C server went offline. Maybe the cyber criminals just went on ‘summer vacation’. But that’s over now.
#Emotet ist zurück! Seit einigen Stunden ist die Anfang Juni abgeschaltete C&C-Infrastruktur von Emotet wieder online und liefert Module an noch infizierte Clients aus. Wer den Zugriff aus seinem Netz auf die zuletzt bekannten C&C-Server noch nicht blockiert hat, …
— CERT-Bund (@certbund) 23. August 2019
German CERT-Bund warns in the tweet above about the Emotet trojan. They say, the Emotet infrastructure, that went offline in June 2019 is back online. The Command and Control servers (C&C servers) has been back online and has started delivering malware modules to infected clients.
For admins in companies, this means blocking access to the relevant C&C servers. A list of the IP addresses to be blocked can be found on this website.
— Jake (@JCyberSec_) August 23, 2019
Addenum: The tweet above and this blog post also shares this knowledge.
What is Emotet?
The Emotet Trojan is nothing new, Symantec published an article about this malware in summer 2018. The group behind the Trojan has been active since at least 2014 and had focused on bank customers so far. Some time ago, however, there was a strategy change by attacking infrastructure and companies in Europe and infecting them with Ransomware.
The German Lower Saxony State Criminal Police Office (LKA) has warned during the last months several times, that the malware “Emotet” is spreading massively via e-mail attachments. The Emotet Trojan reads the address books and evaluates the victims’ e-mail communication. In this way, the malware can send itself to other e-mail addresses of potential victims. These then victims receive an e-mail from a supposedly known sender.
The texts of the mail vary, but tries to trick the recipient to open the attachment. The attachment is mostly a Word .doc file with macro code. If macro locks are set, the malware tries to convince the victim to open the attachment and enable macro execution.
The most critical component is the Emotet component, which enables vertical movement in enterprise networks. This represents a special challenge for companies. Network propagation also means that victims can be infected without ever clicking on a malicious link or downloading a malicious attachment.
Once on a computer, Emotet downloads and executes a spreader module. The module contains a password list that it uses to attempt to gain access to other computers on the same network, writes Symantec. Microsoft has published an article about this malware here, with Windows Defender detecting some variants.