Emotet is a banking Trojan began being used since 2014. During December 2020, it slightly changed the way its client code checks into the C2 servers. The clients are now adding a path that, at first glance, appears to be a random string with a minimum length of four characters. A slightly deeper investigation into this traffic shows the path is actually the key from the key/value pair in the posted form data. Besides, Emotet is back at using malicious URLs attached with different templates of malspam. These phishing emails use themes like Application for medical certificate, form for information update for 2020, emails from shipment companies and Open Enrollment 2020-themed insurance baits. Cofense also reports that Emotet has bypassed the gateways of Proofpoint, Microsoft EOP, Mimecast and Cisco IronPort.
By the looks of it, the Emotet actors are masters at creating email templates that timely exploit a user’s emotional response.