Emotet Malware Resurgence
First wave of the year 2023
https://en.wikipedia.org/wiki/Emotet
Emotet, a Trojan that is distributed via spam emails, has been prevalent since its first appearance in 2014. With a network made up of multiple botnets, Emotet has continuously sent out spam emails in campaigns designed to infect users via phishing attacks.
Background
The EuroPol has considered Emotet as one of the world's most dangerous malware. It was first discovered on year 2014 as a Banking Trojan. This report focusses specifcally on the Emotet malware protection and IOC detections by the Security Fabric products.
Announced
March 7, 2023: After several months of inactivity, the Emotet botnet resumed email activity and was seen adopting new methods of evasion by using Microsoft OneNote attachments and archive bombs.
Latest Developments
November 16, 2021: Hundreds of Malware samples were flagged as VB/Dloader.BLG!tr. March 23, 2022: FortiGuard Labs released threat research on Emotet. "MS Office Files Involved Again in Recent Emotet Trojan Campaign – Part II" April 18, 2022: FortiGuard Labs research on "Trends in the Recent Emotet Maldoc Outbreak" March 20, 2023: Alert on resurgence of Emotet malware updated by JPCERT
arrow_icon
PROTECT

Countermeasures across the security fabric for protecting assets, data and network from cybersecurity events:

Reconnaissance
Weaponization

Delivery

AV

Detects and blocks the Emotet payload

FortiGate
DB 91.01635
FortiWeb
DB 91.01635
FortiClient
DB 91.01635
FortiSASE
DB 91.01635
FortiMail
DB 91.01635
FortiCASB
DB 91.01635
FortiCWP
DB 91.01635
FortiADC
DB 91.01635
FortiProxy
DB 91.01635
AV (Pre-filter)

Detects and blocks the Emotet payload

FortiEDR
DB 91.01635
FortiSandbox
DB 91.01635
FortiNDR
DB 91.01635
Behavior Detection

Behavior Dectection Engine detects Emotet Malware as High risk and blocks 0day threats

FortiSandbox
v4.0+
FortiMail
v7.0+
Anti-spam

Detects and filter Spam from the Mailbox

FortiMail
v7.0+
Exploitation
Installation
C2
Action
arrow_icon
DETECT

Find and correlate important information to identify an outbreak, the following updates are available to raise alert and generate reports:

IOC

FortiAnalyzer
DB 0.02499
FortiSIEM
DB 0.02499
FortiSOCaaS
DB 0.02499
Outbreak Detection

FortiAnalyzer
DB 1.00095
Threat Hunting

FortiAnalyzer
v6.4+
arrow_icon
RESPOND

Develop containment techniques to mitigate impacts of security events:

Automated Response

Services that can automaticlly respond to this outbreak.

FortiXDR
Assisted Response Services

Experts to assist you with analysis, containment and response activities.

Incident Response
FortiRecon: ACI
arrow_icon
RECOVER

Improve security posture and processes by implementing security awareness and training, in preparation for (and recovery from) security incidents:

InfoSec Services

Security readiness and awareness training for SOC teams, InfoSec and general employees.

Response Readiness
FortiPhish
arrow_icon
IDENTIFY

Identify processes and assets that need protection:

Attack Surface Monitoring (Inside & Outside)

Security reconnaissance and penetration testing services, covering both internal & external attack vectors, including those introduced internally via software supply chain.

Security Rating
FortiRecon: EASM
Additional Resources
Cofense
https://cofense.com/blog/emotet-sending-malicious-emails-after-three-month-hiatus/
The Hacker News
https://thehackernews.com/2021/11/notorious-emotet-botnet-makes-comeback.html
Dark Reading
https://www.darkreading.com/threat-intelligence/emotet-returns
Security Week
https://www.securityweek.com/emotet-using-trickbot-get-back-game
Security Week
https://www.securityweek.com/malware-trends-whats-old-is-still-new/
Bleeping Computer
https://www.bleepingcomputer.com/news/security/emotet-malware-distributed-as-fake-w-9-tax-forms-from-the-irs/

Learn more about FortiGuard Outbreak Alerts