In late February 2023, threat actors rode a wave of initial access using Microsoft OneNote files. In this case, we observed a threat actor deliver IcedID using this method.
After loading IcedID and establishing persistence, there was no further actions, other than beaconing for over 30 days.
The threat actor used Cobalt Strike and AnyDesk to target a file server and a backup server.
The threat actor used FileZilla to exfiltrate data from the network before deploying Nokoyawa ransomware.
Emotet returned to the email threat landscape in early November for the first time since July 2022. It is once again one of the most high-volume actors observed by Proofpoint, distributing hundreds of thousands of emails per day.
Proofpoint observed multiple changes to Emotet and its payloads including the lures used, and changes to the Emotet modules, loader, and packer.
Emotet was observed dropping IcedID.
The new activity suggests Emotet is returning to its full functionality acting as a delivery network for major malware families.
New operators or management might be involved as the botnet has some key differences with previous deployments.