Technical analysis by the Malware Hunter JAMESWT

Emotet, after a period of pause, returns to attack Italy with a new campaign that uses real stolen email conversations

Emotet, after a pause, returns to hit Italy with a new campaign that takes advantage of real stolen email conversations. The messages contain a .doc file that contacts the first available url from a list inside it. If this doesn’t respond, move on to the next until it gets a positive result. Objective: to download the malware from one of the three Epoch botnet. This is a banking Trojan to which cybercrime actors have over time added modules that allow it to steal passwords stored in the victims’ software, infect other computers connected to the same network and reuse emails for subsequent spam campaigns.

Examples of real stolen email conversations used to spread Emotet

The .doc attachments, that contact the first available url from a list inside them

The links on Epoch botnets, contacted by attachments to download malware