Sophos, a player in network and endpoint security, published a SophosLabs Uncut report about the multi-faceted malware that has become more prevalent and dangerous over time, Emotet.
The malware operates on a mass scale. Everything it does, it does in bulk. A typical infection begins when the victim receives a specially crafted spam email. Emotet’s creators send these out by the thousands and, in some cases, the bots themselves send more. The lures employ mass-created malicious document files. The payload URLs, from where the malware eventually gets downloaded, come in large batches, with the same file hosted in multiple locations in case some of those sites get shut down (and they do).
In order to operate at this scale, Emotet’s creators seem to have refined the process by which they customize each batch of messages they transmit. The message changes slightly, though it may follow a common trope, or thematic pattern: A shipping confirmation, purchase order, or an invoice asking the recipient to pay the sender (whom the recipient will likely never have heard of).
Moreover, people who look at this kind of spam, day in and day out, can’t help but notice the profusion of spelling errors, typos, grammatically challenged copy, and other small failures of attention to detail in these messages. I’m as guilty of this as anyone else. And yet, it doesn’t seem to matter that these messages contain oddly constructed sentences, or misspellings of the name of a government agency in messages ostensibly sent by that government agency.
In many cases Emotet also tries to steal data, turning a malware infection into a data breach. Some Emotet variants skim email addresses and names from email client data and archives, likely so they can be sold as part of a wider list and used to spread more malicious spam. Others inspect your web browser, stealing histories and saved usernames and passwords.