The Emotet malware botnet is now also using stolen attachments to increase the authenticity of spam emails used for infecting targets’ systems. This is the first time the botnet is using stolen attachments to add credibility to emails. With this campaign, Emotet’s hijacking of email conversation threads goes next level where a malicious URL or attachment would be included in new emails attached to existing conversations as a concealment measure.
This lends to even more authenticity in their phishing emails. In one email, 5 benign attachments were found with a dropper link within the templated portion of the email.
The botnet has been delivering massive amounts of malicious spam emails — camouflaged as payment reports, invoices, employment opportunities, and shipping information — through all its server clusters starting with July 17. Emotet is also being used massively as a dropper for other ransomware. For example, ProLock ransomware is expected to be deployed on some of the systems initially infected with Emotet.