The notorious Emotet malware has returned with renewed vigor as part of a high-volume malspam campaign designed to drop payloads like IcedID and Bumblebee.

Hundreds of thousands of emails per day have been sent since early November 2022, enterprise security company Proofpoint said last week, adding, "the new activity suggests Emotet is returning to its full functionality acting as a delivery network for major malware families."

Among the primary countries targeted are the U.S., the U.K., Japan, Germany, Italy, France, Spain, Mexico, and Brazil.

The Emotet-related activity was last observed in July 2022, although sporadic infections have been reported since then. In mid-October, ESET revealed that Emotet may be readying for a new wave of attacks, pointing out updates to its "systeminfo" module.

The malware, which is attributed to a threat actor known as Mummy Spider (aka Gold Crestwood or TA542), staged a revival of sorts late last year after its infrastructure was dismantled during a coordinated law enforcement operation in January 2021.

Europol called Emotet the "world's most dangerous malware" for its ability to act as a "primary door opener for computer systems" to deploy next-stage binaries that facilitate data theft and ransomware. It started off in 2014 as a banking trojan before evolving into a botnet.

Infection chains involving the malware are known to employ generic lures as well as the technique of email thread hijacking to lure recipients into opening macro-enabled Excel attachments.

The renewed activity has also been accompanied by changes to the Emotet loader component, and addition of new commands, and updates to the packer to resist reverse engineering.

One of the follow-on payloads distributed through Emotet is a brand new variant of the IcedID loader, which receives commands to read and send file contents to a remote server, in addition to executing other backdoor instructions that allow it to extract web browser data.

The information contained in this website is for general information purposes only. The information is gathered from TheHackerNews, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.