Emotet Leads Malware Detections Worldwide

It began its journey as a banking Trojan back in 2014, but over time it has ended up becoming “the most dangerous malware in the world,” in Europol’s own words.

Emotet evolved to be seen as a benchmark by the cybercrime community. As a modular, polymorphic, self-propagating and persistent Trojan, it has managed to distribute other programs by exploiting different lures and evasion techniques. And it has been revived.

After undergoing prosecution by the European and American authorities in early 2021, Emotet went through a period of inactivity that lasted a few months. In November, it was once again one of the seven threats most used by criminals. And in 2022 it regained the number one spot.

This has been documented by the cybersecurity industry. Check Point Research’s Global Threat Index for March revealed that Emotet already affects a tenth of companies, doubling its number of victims in just one month.

Now HP Inc. releases the results of the global HP Wolf Security Threat Insights report and confirms that the Emotet nightmare is back with a vengeance.

The HP Wolf Security research team rates the increase in detections of malicious spam campaigns starring Emotet during the first quarter at 27%. This is compared to the last quarter of 2021, just when Emotet made its comeback.

This means that this threat has moved up 36 places to become the most common malware family. It represents, according to this report, 9 % of all malware captured.

“This is by far the most activity we’ve seen from Emotet since the group was disrupted in early 2021, a clear sign that its operators are regrouping, regaining strength and investing in botnet growth,” says Alex Holland, principal malware analyst on the HP Wolf Security threat research team at HP Inc.

“Emotet was once described by CISA as one of the most destructive and costly malware to remediate, and its operators often collaborate with ransomware groups, a pattern we can expect to continue,” Holland says. “So its re-emergence is bad news for both businesses and the public sector.”

“Emotet has also continued to favor macro attacks,” the security expert reports, “perhaps to get attacks in before Microsoft’s April deadline, or simply because people still have macros enabled and can be tricked into clicking on the wrong object.”

Forty-five percent of the malware isolated by HP Wolf Security corresponds to Office file formats.

The analyzed threats used 545 different malware families in their attempts to infect organizations around the world. After Emotet, the most widespread are AgentTesla and Nemucod.

Most of the malware is distributed via e-mail. The most commonly used attachments are, in this order, documents, files, executables and spreadsheets.