Emotet spam trojan surges back to life after 5 months of silence


After months of inactivity, the notorious Emotet spamming trojan has come alive again as it spews out a massive campaign of malicious emails targeting users worldwide.

Emotet is a malware infection that spreads through spam emails containing malicious Word or Excel documents. These documents utilize macros to download and install the Emotet Trojan on a victim’s computer, which installs other malware over time and using the infected computer to send further spam emails.

Binary Defense researcher James Quinn told BleepingComputer that Emotet was last seen on Feb 7th, 2020, after which the spamming trojan went quiet and has not sent out any spam emails since.

While the Emotet tracking group Cryptolaemus has been tracking the infection and has seen its malicious modules being updated over time, there has been no spamming conducted by the botnet other than some small tests earlier this week.

Emotet surges back to life

Today, Emotet suddenly surged back to life with reply-chain, shipping, payment, and invoice spam that deliver malicious Word documents spreadsheets.

In a conversation with Emotet expert Joseph Roosen, BleepingComputer was told limited activity was seen earlier this week, but the included malicious documents were utilizing old URLs.

Roosen stated that the Emotet botnet is now spewing forth massive amounts of spam, and the malicious documents are using new URLs that are commonly hacked WordPress sites.

One of the Emotet spam emails shared with BleepingComputer by Binary Defense is a reply-chain template that pretends to be a shipping document from Loomis-express.com.

Emotet reply-chain email template
Emotet reply-chain email template

Confense Labs also told BleepingComputer that the predominant template that they are seeing has a subject of ‘Jobs GO’, and quite a few using a ”Expedia Payment Remittance Advice”  or requests for W-9 templates.

Jobs GO Emotet spam template
Jobs GO Emotet spam template

The attached Word documents use a new template that tells the user it cannot be opened properly as it was created on iOS.  It then has a mistake in the template where it states to ‘Enable Edition’ rather than ‘Enable Editing.’

Malicious Emotet document template
Malicious Emotet document template

This new document template has not been used before in past campaigns, and the full text can be read below.

Office 365 Operating did not complete successfully because the file was on IOS device.
To view and edit document click Enable Edition and then click Enable Content.

In a test by BleepingComputer, after enabling macros in a malicious word document, a PowerShell command was executed that downloaded and executed the Emotet executable from hacked WordPress sites.

PowerShell command to download Emotet
PowerShell command to download Emotet

This ultimately led to the trojan being stored as %UserProfile%\AppData\Local\dwmapi\certmgr.exe.

Emotet saved as the certmgr.exe executable
Emotet saved as the certmgr.exe executable

An autorun Registry key will also  be created at HKCU\Software\Microsoft\Windows\CurrentVersion\Run to start the Emotet trojan when Windows starts.

Emotet autostart entry
Emotet autostart entry

Once the malware is running, it will deploy further malicious modules that steal a victim’s mail, spread to other computers, or use the infected computer to send spam.

Over time, Emotet is known to install the TrickBot trojan, which is then used to steal passwords, cookies, SSH keys, spread throughout a network, and ultimately access ransomware operators.

It is important to stress that this new campaign is not isolated to any one particular region and is targeting users worldwide.


If you have discovered that you are infected with Emotet, it is strongly suggested that you perform an audit of your network and email accounts to make sure other devices in your organization were not compromised.

To stay informed about the latest Emotet updates, we suggest you follow the Emotet-tracking Cryptolaemus group on Twitter.

Malwarebytes has also published an article with further IOCs related to this new campaign.

Source: BleepingComputer

Leave a Reply