Overview Emotet’s automated targeting phishing campaigns have arrived and they are aggressive. As originally discovered and predicted in our previous post about Emotet’s mass email harvesting, computers infected with Emotet and the email harvesting module could be used to create believable emails which even savvy email users may be tricked into clicking. Since then, Kryptos' Threat Intelligence Team has observed Emotet’s behavior evolve, with the aid of their stolen email troves.

Our Threat Intelligence team has been tracking the Emotet botnet throughout 2018. In our previous post we reported a large scale Emotet campaign focused on e-mail content exfiltration. Today, we review the evidence gathered from our Telltale Threat Intelligence Service, which suggests the involvement of Emotet as the delivery mechanism for the latest wave of Ryuk ransomware attacks being dubbed as North Korean state-sponsored cyber-attacks. The evidence from the dataset completes the missing narrative needed to show a likely and complete attack chain of compromise via organized crimeware activity.

The Emotet malware family just raised the stakes by adding email exfiltration to its arsenal, thereby escalating its capabilities to cyber espionage. While it has recently made headlines for delivering ransomware payloads to United States infrastructure such as Water Utilities, Emotet has laid mostly dormant for the past month. In the past days, however, the mummy has returned just in time for Halloween as we observed a new module capable of exfiltrating email content back to the botnet’s operators.

The Emotet botnet reputation precedes it; historically aggressive and malicious, today it has evolved and incorporated a number of advancements to create a more resilient botnet delivery system, nearly immune from takedown. Recently, US CERT reported that Emotet incidents (and its subsequent payload droppers) are affecting state, local, tribal, and territorial (SLTT) governments at up to 1 million dollars per incident. We have captured a global view of many of the active infections within the latest Emotet botnet.