Emotet is back and targeting different users around the world with it’s tactics. It’s fair to say that Emotet is now targeting almost 66,000 unique emails for more than 30,000 domain names from 385 unique top-level domains (TLDs).
As for the origin of the malicious emails, It came from 3,362 different senders, whose credentials had been stolen. The count for the total number of unique domains reached 1,875, covering a little over 400 TLDs.
At the beginning there was no definitive answer on the payload, only unconfirmed reports that some U.S.-based hosts received Trickbot, a banking trojan turned malware dropper, as a secondary infection dropped by Emotet.
From current observations and spam emails shared with by Cofense and JamesWT, Emotet’s campaign today relies mostly on emails having a financial theme and appearing to come as a reply to a seemingly previous conversation. This was noticed with the following message in English:
Polish and Italian users received a similar message, urging them to take a look at a bill that caused some problems:
In a message likely to a German recipient, the sender claimed there were issues with some documentation and asked the recipient to take a look:
Malware Hash (MD5/SHA1/SH256)