Beware, the Emotet botnet is back and pretends to be the Chamber of Notaries of Paris

Alexander Boero

November 04, 2022 at 3:30 p.m.



The Emotet group, which had taken a short break for a few months, is back on the cyber scene, and particularly in France where the Chamber of Notaries of Paris is the instrument of a phishing.

Emotet is not dead. Worse, it has resumed service and continues to evolve, after having been, since 2014, a simple banking Trojan horse, then a botnet or even a content distribution infrastructure. And the dismantling of Emotet undertaken by the international authorities at the beginning of last year will not have been right about him. He is back, via spam campaigns. One of them is for hackers to pretend to be the Chamber of Notaries of Paris.

Emotet has recovered well, and is still betting on phishing

Through this phishing campaign, revealed by Proofpoint researchers, the Emotet group pretends to be the Chamber of Notaries of Paris and pushes the recipient of the e-mail to download a document inserted as an attachment. Emotet targets various countries like France, USA, UK, Japan, Germany, Italy, Mexico and Brazil.

To mark its return to prominence, Emotet (better known as TA542) tested different techniques, such as stealing credit card information from Google Chrome, through spam campaigns that trick users into clicking and opening infected files and links.

Proofpoint chamber of notaries

A fraudulent email from the latest Emotet campaign targeting the Paris Chamber of Notaries (© Proofpoint)

After several months of inactivity, Emotet has therefore reappeared, with a significant increase in infection attempts via spam campaigns, identified by several companies specializing in cybersecurity.

Emotet has changed its modus operandi

Infoblox explains to us that the modus operandi of Emotet has changed. If the authorities were able to dismantle the group at first, it is because the infrastructure used was owned by the attackers. The police were then able to identify and arrest them. ” Now they rely on legitimate sites, which makes their network and infrastructure much harder to detect and stop. », explains Laurent Rousseau, Solutions Architect Manager France at Infoblox.

France is now one of the preferred countries for hosting Command & Control servers for Emotet botnets.

Emotet is distributed to its victims mainly by e-mail, with attached files, mostly in Excel format, with XML macros. ” These macros, even if Microsoft recommended their deactivation at the beginning of 2022, are still a proven threat, because many organizations do not regularly update MS Office applications, because in any case, the use of these macros remains configurable by the user “.

Source link -99