Proofpoint reports it has observed one of the world’s most disruptive cybersecurity threats – a malicious email campaign distributing malware known as Emotet – return from holidays. The global campaign began on Monday. Proofpoint observed TA542 pursuing potential victims in the western hemisphere (U.S., Canada, and Mexico) in the pharmaceutical industry in particular.
Threat actor group TA542, the group that’s behind Emotet, is capable of incredible volumes in a short period of time, that’s one of the things that makes them such a significant threat. On Monday alone we saw nearly three quarters of a million messages and they’re already fast approaching one million messages total. To give this context, this isn’t the highest volume we’ve ever seen from this actor: that was over one million messages in one day. But Monday was the biggest volume since April 2019.
Based on past activity and what our researchers are seeing, organizations around the globe should take Emotet’s return seriously. Throughout their career, TA542 has used widespread email campaigns on a huge, international scale that have affected North America, Central America, South America, Europe, Asia, and Australia. TA542’s continued use of Emotet should cause concern as well: Emotet is a modular robust botnet, is capable of downloading and installing a range of additional malware, that often steal information and sends malicious email. Emotet can also spread across networks and use infected devices to launch further attacks. Emotet is a highly effective malware being used by a highly effective and sophisticated threat group with a large global infrastructure.
To understand how serious the potential threat of Emotet’s latest return can be, though Emotet was on vacation for all but the last two weeks of Q3 (July – September), it still accounted for over 11% of all malicious payloads for the quarter.