Emotet: A steadily evolving botnet with new malspam techniques

The malware botnet known as Emotet served as a banking Trojan when it first appeared in 2014. It was distributed using spam campaigns that mimicked financial documents, transfers, and payment invoices. Emotet spreads mostly through Office email attachments that contain a macro. If enabled, it downloads and then executes the malicious PE file, Emotet.

Instead of prompting users to enable cell macro, Emotet tricks the user to copy the Excel file into the Microsoft Office Templates folder before relaunching it. This exploits the fact that the ‘Templates’ folder is considered a trusted location according to Microsoft Office policy, implying that the macro is run immediately without a security warning. Emotet has become active again in 2023 with different tactics using weaponized Excel file, unlike previously identified similar attacks. The malicious files are distributed using random phishing emails with attachments, dispersing and hiding multiple formulas with white text in the Excel sheet.

A recent wave of malspam campaigns in January 2023 that use password-protected archive files to install CoinMiner and Quasar RAT on infected PCs have also been linked to the infamous Emotet botnet. The ZIP or ISO attachment, which is disguised as an invoice, holds a nested self-extracting (SFX) package. The first archive is an SFX RAR (RARsfx) that only has the ability to run another RARsfx that it contains. Despite being password-protected, the second RARsfx’s content can be extracted and executed without any user input.

The threat known as CoinMiner uses the resources of the infected system to mine cryptocurrencies. Due to its ability to access Microsoft Outlook profiles and read user data from web browsers, this malware can also display credential-stealing behavior.

In nations including the United States, the United Kingdom, Germany, France, Italy, Canada, Australia, Spain, and Japan, the Emotet malware botnet has primarily targeted sectors like financial services, healthcare, manufacturing, retail, government, and telecommunications.


  1. https://blog.aquasec.com/headcrab-attacks-servers-worldwide-with-novel-state-of-art-redis-malware
  2. https://www.scmagazine.com/analysis/vulnerability-management/stealthy-headcrab-malware-compromised-1200-redis-servers-worldwide
SISA’s Latest
close slider