An active malspam campaign is distributing Emotet banking Trojan payloads via emails camouflaged to look like messages delivered by several German federal authorities warns the BSI, Germany's federal cybersecurity agency.

The attackers behind this malicious campaign have already successfully infected a number of federal administration authorities during the last few days according to reports cited by the BSI (also known as the Federal Office for Security in Information Technology — Bundesamt für Sicherheit in der Informationstechnik).

"Spam emails with malicious attachments or links are currently being sent on behalf of several federal agencies," the BSI says.

"The Federal Office for Information Security ( BSI ) calls for special caution and warns against opening these emails and links."

Biggest impact recommendations for SOCs, CERTs, and CSIRTs on how to block Emotet malspam:

Block macro office docs & emails w/ known bad URLs ASAP + Use URLhaus ClamAV signatures + Block known Emotet C&C communication.



Provided by @abuse_ch via https://t.co/rrsakWK7Dt — CERT-Bund (@certbund) December 16, 2019

Emotet malspam sent as replies in previous conversations

Besides these already confirmed Emotet infections, the BSI also suspects that there are more victims. The agency is also actively working with all concerned German authorities to address this threat.

"These are primary infections that lead to further spam emails being sent on behalf of those affected," the BSI adds.

"The authorities have so far not had any harmful effects because the infections have been isolated and cleaned up."

The Emotet spam arrives in the targets' inboxes as replies to already existing email conversations as part of an effort to make them like authentic messages from German federal agencies.

The BSI recommends checking the emails' sender name and not relying only on the name displayed by the email client. Potential targets should also be aware that such spam emails might also feature various inconsistencies such as misspelled words and out of place formatting.

Users should also make sure not to enable macros when asked by documents arriving via a suspicious email and immediately notify their organization's security team if they opened such an attachment accidentally or on purpose.

"If in doubt, you should clarify by telephone with the alleged sender whether an email was actually sent by the sender," the BSI further recommends.

The ongoing Emotet threat

Emotet is a banking trojan first detected in 2014 that evolved into a dangerous botnet over time, a botnet used for dropping other malware payloads like the Trickbot banking Trojan known for delivering Ryuk ransomware on compromised machines.

Security researchers say that the Emotet botnet is being operated by a threat actor ProofPoint tracks as TA542 and known as Mummy Spider by CrowdStrike. The group is known for "renting" the Emotet botnet to other actors like the group behind TrickBot.

After a short hiatus starting with the beginning of June, the Emotet command and control (C2) servers suddenly resumed their activity and started delivering malware payloads again on August 22

Cofense told BleepingComputer at the time that Emotet malspam was coming from 3,362 compromised senders, while the total count of unique domains used in these attacks reached 1,875 covering more than 400 TLDs.

The Emotet botnet arose from the grave yesterday and began serving up new binaries. We noticed that the C2 servers began delivering responses to POST requests around 3PM EST on Aug 21. Stay vigilant and keep an eye out for any updates as we monitor for any changes. — Cofense Labs (@CofenseLabs) August 22, 2019

After less than a month since it got revived, on September 16, the Emotet botnet started spraying malicious emails around the globe.

Malspam distributing Emotet payloads was discovered as part of attacks directed at a wide range of targets including individuals, business, and government entities from the U.S., Germany, and the United Kingdom.

The Australian Signals Directorate’s Australian Cyber Security Centre provides technical advice on how to defend against Emotet attacks as part of an Emotet advisory published in early November.