Cyber criminals have been actively pushing Emotet malware to drop IcedID trojan since early November 2018.
The activity was spotted and details described in a recent blog post by Brad Duncan of the SANS Internet Storm Center (ISC). Once a system was infected, Emotet was also used to deliver the IcedID banking Trojan as its follow-up malware.
Emotet is an advanced, modular banking Trojan and also functions as a downloader or dropper of other banking Trojans.
“As Symantec and others have reported, the group behind Emotet has evolved from maintaining its own banking Trojan, and it now also distributes malware for other groups. I commonly see follow-up malware like Trickbot and Zeus Panda Banker during Emotet infections generated in my lab environment,” Duncan noted.
US-CERT also described Emotet as “among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors,” in an alert back in July of 2018. SLTT governments have experienced up to $1M in remediation costs for each Emotet malware infection.
Symantec also wrote about the threat back in July in an article titled “The Evolution of Emotet: From Banking Trojan to Threat Distributor.”
According to Symantec, Emotet often attempts to brute force passwords as its primary method of self-propagation. This can also lead to password lockouts and an increase in IT help desk calls and loss of productivity.
In addition, Emotet can spread to additional systems using a spam module that it installs on infected victim machines.
“This module generates emails that use standard social engineering techniques and typically contain subject lines including words such as ‘Invoice’,” Symantec said.