Summary

First discovered back in 2014, Emotet has made waves in the security world due to the way it seeks to target and exploit the banking industry. Earlier this year, the TAU team reported on a spike in Emotet activity. Since then it was seen in various small campaigns. However, this week we saw massive Emotet campaigns starting with multiple types of malware payloads such as Trickbot. Coincidentally, this recent surfacing of Emotet appears to have started on Guy Fawkes Night, November 5th. The last sizable spike observed on this scale was around one month prior. For this latest round of Emotet, there are effectively two active campaigns, and each have the ability to supply different payloads.

The TAU team at Carbon Black always strive to actively work with the InfoSec community. With the recent flurry of Emotet activity observed in the wild, a researcher in the community collated a list of the two active campaigns and their associated list of IOC’s for public consumption. Although the extensive list of IOC’s can be directly accessed from the sites referenced at the end of this notification, the TAU team believe that it would be highly beneficial to share this among our customers and partners for added visibility.

Credits:

Special thanks to Joseph Roosen (@JRoosen) for contributing the following:

https://pastebin.com/p8h0PwNK

This is a post contributed to by Andrew Costis, Swee Lai Lee, and myself.