Cofense Logo - Email Security Solutions

Emotet Sending Malicious Emails After Three-Month Hiatus

Share Now

Facebook
Twitter
LinkedIn

Key Points:

  • Emotet malicious email activity resumed Tuesday, March 7, 2023 at 8:00am EST.
  • Malicious emails contain attached .zip files that are not password protected.
  • The attached .zip files deliver Office documents with malicious macros, which in turn download and execute the Emotet .dll.
  • It is unclear how long this round of email activity will last, as periods of activity in 2022 varied widely.

After several months of inactivity, the Emotet botnet resumed email activity this morning at 8:00am EST. The malicious emails seem to be replying to already existing email chains, with the addition of an attached .zip file (Figure 1). The .zip files are not password protected. The themes of the attached files include finances and invoices.

Emotet Sending Malicious Emails After Three-Month Hiatus

Figure 1: Sample Emotet email with attached .zip file.

The .zip files attached to these recent Emotet emails contain an Office Document with macros (Figure 2). Once opened, the user is prompted to “Enable Content”, which will allow the malicious macros to run. The macros will download an Emotet .dll from an external site and execute it locally on the machine.

Office document with macros to download and execute Emotet.

Figure 2: Office document with macros to download and execute Emotet.

It is unclear how long this round of email activity will last. While an earlier round of activity in 2022 extended across multiple weeks, the last round occurred over less than two weeks in November 2022, with more than three months of inactivity on either side.

Search

We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on wpml.org as a development site.