#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News

Emotet | Breaking Cybersecurity News | The Hacker News

Category — Emotet
Authorities Ramp Up Efforts to Capture the Mastermind Behind Emotet

Authorities Ramp Up Efforts to Capture the Mastermind Behind Emotet

Jun 03, 2024 Malware / Cybercrime
Law enforcement authorities behind Operation Endgame are seeking information related to an individual who goes by the name Odd and is allegedly the mastermind behind the Emotet malware.  Odd is also said to go by the nicknames Aron, C700, Cbd748, Ivanov Odd, Mors, Morse, and Veron over the past few years, according to a video released by the agencies. "Who is he working with? What is his current product?," the video continues, suggesting that he is likely not acting alone and may be collaborating with others on malware other than Emotet. The threat actor(s) behind Emotet has been tracked by the cybersecurity community under the monikers Gold Crestwood, Mealybug, Mummy Spider, and TA542. Originally conceived as a banking trojan, it evolved into a broader-purpose tool capable of delivering other payloads, along the lines of malware such as TrickBot, IcedID, QakBot, and others. It re-emerged in late 2021, albeit as part of low-volume campaigns, following a law enforceme...
QakBot Malware Resurfaces with New Tactics, Targeting the Hospitality Industry

QakBot Malware Resurfaces with New Tactics, Targeting the Hospitality Industry

Dec 18, 2023 Malware / Cybersecurity
A new wave of phishing messages distributing the  QakBot  malware has been observed, more than three months after a law enforcement effort saw its infrastructure dismantled by infiltrating its command-and-control (C2) network. Microsoft, which made the discovery, described it as a low-volume campaign that began on December 11, 2023, and targeted the hospitality industry. "Targets received a PDF from a user masquerading as an IRS employee," the tech giant  said  in a series of posts shared on X (formerly Twitter). "The PDF contained a URL that downloads a digitally signed Windows Installer (.msi). Executing the MSI led to Qakbot being invoked using export 'hvsi' execution of an embedded DLL." Microsoft said that the payload was generated the same day the campaign started and that it's configured with the previously unseen version 0x500. Zscaler ThreatLabz, in a post shared on X, described the resurfaced QakBot as a 64-bit binary that utilizes AES ...
7 PAM Best Practices to Secure Hybrid and Multi-Cloud Environments

7 PAM Best Practices to Secure Hybrid and Multi-Cloud Environments

Dec 04, 2024Risk Management / Zero Trust
Are you using the cloud or thinking about transitioning? Undoubtedly, multi-cloud and hybrid environments offer numerous benefits for organizations. However, the cloud's flexibility, scalability, and efficiency come with significant risk — an expanded attack surface. The decentralization that comes with utilizing multi-cloud environments can also lead to limited visibility into user activity and poor access management.  Privileged accounts with access to your critical systems and sensitive data are among the most vulnerable elements in cloud setups. When mismanaged, these accounts open the doors to unauthorized access, potential malicious activity, and data breaches. That's why strong privileged access management (PAM) is indispensable. PAM plays an essential role in addressing the security challenges of complex infrastructures by enforcing strict access controls and managing the life cycle of privileged accounts. By employing PAM in hybrid and cloud environments, you're not...
Microsoft Warns of Malvertising Scheme Spreading CACTUS Ransomware

Microsoft Warns of Malvertising Scheme Spreading CACTUS Ransomware

Dec 04, 2023 Ransomware / Cyber Attack
Microsoft has warned of a new wave of CACTUS ransomware attacks that leverage malvertising lures to deploy DanaBot as an initial access vector. The DanaBot infections led to "hands-on-keyboard activity by ransomware operator Storm-0216 (Twisted Spider, UNC2198), culminating in the deployment of CACTUS ransomware," the Microsoft Threat Intelligence team  said  in a series of posts on X (formerly Twitter). DanaBot , tracked by the tech giant as Storm-1044, is a multi-functional tool along the lines of Emotet, TrickBot, QakBot, and IcedID that's capable of acting as a stealer and a point of entry for next-stage payloads. UNC2198, for its part, has been previously observed infecting endpoints with IcedID to deploy ransomware families such as Maze and Egregor, as  detailed  by Google-owned Mandiant in February 2021. Per Microsoft, the threat actor has also taken advantage of initial access provided by QakBot infections. The shift to DanaBot, therefore, is likely the...
cyber security

The AppSec & R&D Playbook: How to Align Security and Innovation

websiteBackslashApplication Security
AppSec vs. R&D? Bridge the gap with clear steps to streamline workflows and foster collaboration.
New SOHO Router Botnet AVrecon Spreads to 70,000 Devices Across 20 Countries

New SOHO Router Botnet AVrecon Spreads to 70,000 Devices Across 20 Countries

Jul 14, 2023 Network Security / Malware
A new malware strain has been found covertly targeting small office/home office (SOHO) routers for more than two years, infiltrating over 70,000 devices and creating a botnet with 40,000 nodes spanning 20 countries. Lumen Black Lotus Labs has dubbed the malware  AVrecon , making it the third such strain to focus on SOHO routers after  ZuoRAT  and  HiatusRAT  over the past year. "This makes AVrecon one of the largest SOHO router-targeting botnets ever seen," the company  said . "The purpose of the campaign appears to be the creation of a covert network to quietly enable a range of criminal activities from password spraying to digital advertising fraud." A majority of the infections are located in the U.K. and the U.S., followed by Argentina, Nigeria, Brazil, Italy, Bangladesh, Vietnam, India, Russia, and South Africa, among others. AVrecon was  first highlighted  by Kaspersky senior security researcher Ye (Seth) Jin in May 2021, indicating th...
Emotet Rises Again: Evades Macro Security via OneNote Attachments

Emotet Rises Again: Evades Macro Security via OneNote Attachments

Mar 20, 2023 Endpoint Security / Email Security
The notorious Emotet malware, in its  return after a short hiatus , is now being distributed via  Microsoft OneNote email attachments  in an attempt to bypass macro-based security restrictions and compromise systems. Emotet , linked to a threat actor tracked as Gold Crestwood, Mummy Spider, or TA542, continues to be a potent and resilient threat despite attempts by law enforcement to take it down. A  derivative  of the  Cridex   banking worm  – which was  subsequently   replaced  by  Dridex  around the same time GameOver Zeus was disrupted in 2014 – Emotet has  evolved  into a "monetized platform for other threat actors to run malicious campaigns on a pay-per-install (PPI) model, allowing theft of sensitive data and ransom extortion." While Emotet infections have acted as a  conduit  to deliver Cobalt Strike, IcedID, Qakbot, Quantum ransomware, and TrickBot, its return in late 2021 was  facili...
Emotet Malware Makes a Comeback with New Evasion Techniques

Emotet Malware Makes a Comeback with New Evasion Techniques

Jan 24, 2023 Cyber Threat / Cyber Crime
The Emotet malware operation has continued to refine its tactics in an effort to fly under the radar, while also acting as a conduit for other dangerous malware such as Bumblebee and IcedID. Emotet, which officially  reemerged  in late 2021 following a coordinated takedown of its infrastructure by authorities earlier that year, has continued to be a persistent threat that's distributed via phishing emails. Attributed to a cybercrime group tracked as  TA542  (aka Gold Crestwood or Mummy Spider), the virus has  evolved  from a banking trojan to a malware distributor since its first appearance in 2014. The malware-as-a-service (MaaS) is also modular, capable of deploying an array of proprietary and freeware components that can exfiltrate sensitive information from compromised machines and carry out other post-exploitation activities. Two latest additions to Emotet's module arsenal comprise an  SMB spreader  that's designed to facilitate lateral...
IcedID Malware Strikes Again: Active Directory Domain Compromised in Under 24 Hours

IcedID Malware Strikes Again: Active Directory Domain Compromised in Under 24 Hours

Jan 12, 2023 Active Directory / Malware
A recent IcedID malware attack enabled the threat actor to compromise the Active Directory domain of an unnamed target less than 24 hours after gaining initial access, while also borrowing techniques from other groups like Conti to meet its goals. "Throughout the attack, the attacker followed a routine of recon commands, credential theft, lateral movement by abusing Windows protocols, and executing Cobalt Strike on the newly compromised host," Cybereason researchers  said  in a report published this week. IcedID , also known by the name BokBot, started its life as a banking trojan in 2017 before evolving into a  dropper for other malware , joining the likes of  Emotet ,  TrickBot ,  Qakbot ,  Bumblebee , and  Raspberry Robin . Attacks involving the delivery of IcedID have  leveraged a variety of methods , especially in the wake of  Microsoft's decision to block macros  from Office files downloaded from the web. The intrusion d...
All You Need to Know About Emotet in 2022

All You Need to Know About Emotet in 2022

Nov 26, 2022
For 6 months, the infamous Emotet botnet has shown almost no activity, and now it's distributing malicious spam. Let's dive into details and discuss all you need to know about the notorious malware to combat it. Why is everyone scared of Emotet? Emotet  is by far one of the most dangerous trojans ever created. The malware became a very destructive program as it grew in scale and sophistication. The victim can be anyone from corporate to private users exposed to spam email campaigns. The botnet distributes through phishing containing malicious Excel or Word documents. When users open these documents and enable macros, the Emotet DLL downloads and then loads into memory. It searches for email addresses and steals them for spam campaigns. Moreover, the botnet drops additional payloads, such as Cobalt Strike or other attacks that lead to ransomware. The polymorphic nature of Emotet, along with the many modules it includes, makes the malware challenging to identify. The Emotet...
Notorious Emotet Malware Returns With High-Volume Malspam Campaign

Notorious Emotet Malware Returns With High-Volume Malspam Campaign

Nov 21, 2022
The notorious Emotet malware has returned with renewed vigor as part of a high-volume malspam campaign designed to drop payloads like  IcedID  and  Bumblebee . "Hundreds of thousands of emails per day" have been sent since early November 2022, enterprise security company Proofpoint  said  last week, adding, "the new activity suggests Emotet is returning to its full functionality acting as a delivery network for major malware families." Among the primary countries targeted are the U.S., the U.K., Japan, Germany, Italy, France, Spain, Mexico, and Brazil. The Emotet-related activity was last observed in July 2022, although  sporadic   infections  have been  reported  since then. In mid-October, ESET  revealed  that Emotet may be readying for a new wave of attacks, pointing out updates to its "systeminfo" module. The malware, which is attributed to a threat actor known as Mummy Spider (aka Gold Crestwood or TA542), staged a r...
Emotet Botnet Distributing Self-Unlocking Password-Protected RAR Files to Drop Malware

Emotet Botnet Distributing Self-Unlocking Password-Protected RAR Files to Drop Malware

Oct 21, 2022
The notorious  Emotet botnet  has been linked to a new wave of malspam campaigns that take advantage of password-protected archive files to drop CoinMiner and Quasar RAT on compromised systems. In an  attack chain  detected by Trustwave SpiderLabs researchers, an invoice-themed ZIP file lure was found to contain a nested self-extracting (SFX) archive, the first archive acting as a conduit to launch the second. While phishing attacks like these traditionally require persuading the target into opening the attachment, the cybersecurity company said the campaign sidesteps this hurdle by making use of a batch file to automatically supply the password to unlock the payload. The first SFX archive file further makes use of either a PDF or Excel icon to make it appear legitimate, when, in reality, it contains three components: the password-protected second SFX RAR file, the aforementioned batch script which launches the archive, and a decoy PDF or image. "The execution ...
New Ursnif Variant Likely Shifting Focus to Ransomware and Data Theft

New Ursnif Variant Likely Shifting Focus to Ransomware and Data Theft

Oct 20, 2022
The Ursnif malware has become the latest malware to shed its roots as a banking trojan to revamp itself into a generic backdoor capable of delivering next-stage payloads, joining the likes of Emotet, Qakbot, and TrickBot. "This is a significant shift from the malware's original purpose to enable banking fraud, but is consistent with the broader threat landscape," Mandiant researchers Sandor Nemes, Sulian Lebegue, and Jessa Valdez  disclosed  in a Wednesday analysis. The refreshed and refactored variant, first spotted by the Google-owned threat intelligence firm in the wild on June 23, 2022, has been codenamed LDR4, in what's being seen as an attempt to lay the groundwork for potential ransomware and data theft extortion operations. Ursnif, also called Gozi or ISFB, is one of the oldest banker malware families, with  the earliest documented attacks  going as far back as 2007. Check Point, in August 2020, mapped the " divergent evolution of Gozi " over th...
New Report Uncovers Emotet's Delivery and Evasion Techniques Used in Recent Attacks

New Report Uncovers Emotet's Delivery and Evasion Techniques Used in Recent Attacks

Oct 10, 2022
Threat actors associated with the notorious Emotet malware are continually shifting their tactics and command-and-control (C2) infrastructure to escape detection, according to new research from VMware. Emotet  is the work of a threat actor tracked as Mummy Spider (aka TA542), emerging in June 2014 as a banking trojan before morphing into an all-purpose loader in 2016 that's capable of delivering second-stage payloads such as ransomware. While the botnet's infrastructure was  taken down  as part of a coordinated law enforcement operation in January 2021, Emotet bounced back in November 2021 through another malware known as  TrickBot . Emotet's resurrection, orchestrated by the now-defunct Conti team, has since paved the way for Cobalt Strike infections and, more recently, ransomware attacks involving  Quantum and BlackCat . "The ongoing adaptation of Emotet's execution chain is one reason the malware has been successful for so long," researchers from VMwa...
Emotet Botnet Started Distributing Quantum and BlackCat Ransomware

Emotet Botnet Started Distributing Quantum and BlackCat Ransomware

Sep 19, 2022
The Emotet malware is now being leveraged by ransomware-as-a-service (RaaS) groups, including Quantum and BlackCat, after  Conti's official retirement  from the threat landscape this year. Emotet  started off as a banking trojan in 2014, but updates added to it over time have transformed the malware into a highly potent threat that's capable of downloading other payloads onto the victim's machine, which would allow the attacker to control it remotely. Although the infrastructure associated with the invasive malware loader was taken down as part of a law enforcement effort in January 2021, the Conti ransomware cartel is said to have  played an instrumental role  in its comeback late last year. "From November 2021 to Conti's dissolution in June 2022, Emotet was an exclusive Conti ransomware tool, however, the Emotet infection chain is currently attributed to Quantum and BlackCat," AdvIntel  said  in an advisory published last week. Typical attack s...
New Emotet Variant Stealing Users' Credit Card Information from Google Chrome

New Emotet Variant Stealing Users' Credit Card Information from Google Chrome

Jun 09, 2022
Image Source: Toptal The notorious Emotet malware has turned to deploy a new module designed to siphon credit card information stored in the Chrome web browser. The credit card stealer, which exclusively singles out Chrome, has the ability to exfiltrate the collected information to different remote command-and-control (C2) servers, according to enterprise security company  Proofpoint , which observed the component on June 6. The development comes amid a  spike  in  Emotet   activity  since it was resurrected late last year following a 10-month-long hiatus in the wake of a law enforcement operation that  took down its attack infrastructure  in January 2021. Emotet, attributed to a threat actor known as TA542 (aka Mummy Spider or Gold Crestwood), is an advanced, self-propagating and modular trojan that's delivered via email campaigns and is used as a distributor for other payloads such as ransomware. As of April 2022, Emotet is still the ...
Emotet Testing New Delivery Ideas After Microsoft Disables VBA Macros by Default

Emotet Testing New Delivery Ideas After Microsoft Disables VBA Macros by Default

Apr 26, 2022
The threat actor behind the prolific Emotet botnet is testing new attack methods on a small scale before co-opting them into their larger volume malspam campaigns, potentially in response to Microsoft's move to disable Visual Basic for Applications (VBA) macros by default across its products. Calling the new activity a "departure" from the group's typical behavior, Proofpoint alternatively  raised the possibility  that the latest set of phishing emails distributing the malware show that the operators are now "engaged in more selective and limited attacks in parallel to the typical massive scale email campaigns." Emotet, the handiwork of a cybercrime group tracked as  TA542  (aka Mummy Spider or  Gold Crestwood ), staged a  revival of sorts  late last year after a 10-month-long hiatus following a coordinated law enforcement operation to take down its attack infrastructure. Since then, Emotet  campaigns  have targeted thousands of custome...
Hackers Hijack Email Reply Chains on Unpatched Exchange Servers to Spread Malware

Hackers Hijack Email Reply Chains on Unpatched Exchange Servers to Spread Malware

Mar 28, 2022
A new email phishing campaign has been spotted leveraging the tactic of conversation hijacking to deliver the IcedID info-stealing malware onto infected machines by making use of unpatched and publicly-exposed Microsoft Exchange servers. "The emails use a social engineering technique of conversation hijacking (also known as thread hijacking)," Israeli company Intezer said in a report shared with The Hacker News. "A forged reply to a previous stolen email is being used as a way to convince the recipient to open the attachment. This is notable because it increases the credibility of the phishing email and may cause a high infection rate." The latest wave of attacks, detected in mid-March 2022, is said to have targeted organizations within energy, healthcare, law, and pharmaceutical sectors. IcedID, aka BokBot, like its counterparts TrickBot and  Emotet , is a  banking trojan  that has evolved to become an entry point for more sophisticated threats, including hu...
Expert Insights / Articles Videos
Cybersecurity Resources