Malware, Threat Management, Ransomware
Emotet attempts to sell access after infiltrating high-value networks

The Emotet trojan has reemerged from a three-month hiatus. (Adobe Stock Images)
The notorious trojan Emotet re-emerged this week after a three-month hiatus with a specific goal: send malicious emails to infiltrate high-value corporate networks and then try to sell that access to ransomware groups.Instead of just sending malicious Excel files, Emotet is now sending malware in Word files with macros that, if enabled, could start the infection chain and execute the Emotet.dll.Deep Instinct's Threat Research team on Friday reported that the first page of the malicious email contains an image that tries to lure the receiver to enable macros. The Deep Instinct team observed malicious emails sent to companies around the globe, including in Japan, an image of which they posted on March 10.Initially conceived as a banking trojan in 2014, Emotet evolved into an all-purpose loader two years later. While the botnet had its infrastructure dismantled in January 2021, it has been resurrected through the help of the TrickBot malware by the mostly defunct Conti group. In security circles, Emotet gets tracked at Mummy Spider, or TA542. Simon Kenin, a security researcher at Deep Instinct, explained that over the years, Emotet shifted to being a botnet of infected computers that will load any other malware the operator decides on, and that's why the malicious spam now gets sent to corporate email addresses and not individuals at homes.“When the operator of the botnet sees a high value target infected, he can sell access to a ransomware group, which will have initial access and try to hack the whole network,” explained Kenin. “The return on investment is much higher for ransomware than banking trojans these days. For other less valuable targets, a method of pay-per-install can be used and the operator just loads other cybercriminals malware in bulk.”
An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds