A full month has not yet passed since the C2 servers went back on line, but the Emotet botnet has returned, sending out spam messages to citizens, businesses and governments worldwide.
Infected emails with the Emotet sign-off were picked up earlier this week by users in Germany, the UK, Poland and Italy, while companies and government agencies were hit in the US.
In June of this year, cyber-security experts realised that the C2 servers of Emotet had become suspiciously quiet, having stopped sending out commands to zombie machines. The lull continued until August 22nd, when the system kicked up once more and servers began to respond to requests.
Since that date, it appears operators have been taking required action to reboot the botnet activity by eliminating fake bots, putting together new campaigns, and setting up distribution channels comprising websites, hacking sits, and establishing web shells, as Emotet is back.
Websites believed to have been compromised through Emotet include:
- customernoble.com – a cleaning company
- www.mutlukadinlarakademisi.com – Turkish women’s blog
The adverse effects began with security staff at Cofense Labs informing BleepingComputer that Emotet is now focusing on nearly 66,000 unique emails for over 30,000 domain names from 385 unique top-level domains (TLDs).
Speaking to BleepingComputer, Cofense explained that the malicious emails had come from 3,362 different senders whose credentials had been illegally obtained. The total number of unique domains reached peaked at 1,875, hitting around 400 TLDs.
“From home users all the way up to government owned domains. The sender list includes the same dispersion as the targets. Many times we’ve seen precise targeting using a sender who’s contact list appears to have been scraped and used as the target list for that sender. This would include b2b as well as gov-to-gov.”
The post #privacy: Emotet bot revival sends malicious emails worldwide appeared first on PrivSec Report.