Cisco’s Talos security team posted an explanation of why Emotet is so successful. Spam sent by Emotet often appears to come from a person the target has corresponded with in the past and quotes the bodies of previous email threads the two have participated.
Emotet gets this information by raiding the contact lists and email inboxes of infected computers. The botnet then sends a follow-up email to one or more of the same participants and quotes the body of the previous email. It then adds a malicious attachment.
The malicious messages are hard for human and spam filters to detect. The use of previously sent emails isn't new, since Emotet did the same thing before it went silent in early June. But with its return this week, the botnet is relying on the trick much more.
A quarter of the spam Emotet sent this week include previously sent emails, compared with about eight per cent of spam messages sent in April.
"To make sending the spam easier, Emotet also steals the usernames and passwords for outgoing email servers," the report adds. "Those passwords are then turned over to infected machines that Emotet control servers have designated as spam emitters. The Talos researchers found almost 203,000 unique pairs that were collected over a 10-month period."
Malwarebytes says Emotet has brought back another tactic where it refers to targets by name in subject lines.
"Once opened, the documents attached to the emails claim that, effective September 20, 2019, users can only read the contents after they have agreed to a licensing agreement for Microsoft Word," reports Ars Technica. "And to do that, according to a post from security firm Cofense, users must click on an Enable Content button that turns on macros in Word."
"After Office macros are enabled, Emotet executables are downloaded from one of five different payload locations,"
Cofense researchers Alan Rainer and Max Gannon wrote. "When run, these executables launch a service that looks for other computers on the network. Emotet then downloads updated binary and proceeds to fetch TrickBot if a (currently undetermined) criteria of geographical location and organisation are met."