Emotet Spambot activity surges!

By mhahad posted 10-17-2017 13:30


For several weeks, Cyphort Labs (now part of Juniper Networks Sky ATP) has been observing the renewed activity of the Emotet malspam campaign. As can be seen from the chart below, based on our telemetry, this variant of emotet started to show activity on the first week of August and picked up dramatically towards the end of September through early October.EmotetActivity.png


Emotet is primarily a trojan downloader which downloads additional modules that would perform the following malicious activity:

  • Steal Information (email accounts and browsers credentials).
  • Spread itself via Email Spam.
  • Participate in a DDOS attacks.
  • Steal bank credentials (only in prior versions).


Its recent uptick in activity may be attributed to its spam module and it could mean that it has added a significant number of infected hosts to its botnet to cause this spike in activity.


Infection Chain


Emotet has historically been distributed through Spam emails containing phishing links leading to malicious office documents which would then download the Emotet payload. We have also seen downloaders that arrive as PDF containing a malicious link that leads to a malicious macro (creadit to: @JAMESWT_MHT).



Emotet Spam Email.



 PDF with link to malicious Emotet trojan.


The malicious macro will execute a powershell command to download emotet.




In our case, the emotet sample was downloaded from http://austxport[.]com[.]au/redbeandesign/zaW/  as a plain executable.



The downloaded emotet is saved and executed from the %temp% folder as {random_number}.exe.  It copies itself into the %system% folder as searchlog.exe. For persistence, it installs itself as a service named searchlog as seen below.




Command and Control

Emotet contacts its CnC server, which in one particular case happens to be, via HTTP but uses port 443. Communication to its CnC is encrypted using a custom protocol. It will first send information about the infected system, such as username, OS version, etc.


As with the previous emotet versions, it responds with HTTP/1.1 404 Not Found. This is a clever way for the actors to hide the communicaton as many security devices like web gateways will not process 404 response pages. As you can see from the pcap below, it still sends encrypted data.



Emotet HTTP Request/Response showing the 404 response code.


At the time of our analysis, The CnC server was not returning any malicious samples anymore. 




SPAM Email Hashes:




MSWord Attcachment Document:



Emotet Payload:



This analysis is courtesy of Paul Kimayong.