Lock up your Office macros: Emotet botnet back from the dead with Trickbot links

Nice to have nearly a year off from that malspam threat, but now it's returned


The Emotet malware delivery botnet is back, almost a year after law enforcement agencies bragged about shutting it down and arresting the operators.

The SANS Institute's Internet Storm Centre (ISC) was one of many organisations to confirm overnight that the spam-based malware delivery network was back online following police raids in January 2021 targeting its command and control infrastructure.

Detailing emails the ISC had seen circulating in the wild with malicious Word, Excel, and .zip archive files attached, the org's Brad Duncan blogged: "These emails were all spoofed replies that used data from stolen email chains, presumably gathered from previously infected Windows hosts."

The revival of Emotet is serious because in its final form the Windows malware network was increasingly being used to deliver ransomware, as well as the traditional online banking credential-stealing code it was previously best known for. Typically spam emails sent by Emotet contain a document in a common file format with embedded macros.

The messages involve references to current news events, fake invoices, or memos from corporate superiors, and suchlike, to deceive users into opening the attached file and running the macros, which drop the Emotet malware itself onto the host computer. In the past Emotet has been seen delivering ransomware from well-known criminal gangs such as Conti, Ryuk, and more.

In April, German police took the mildly controversial step of cleansing other people's infected machines of Emotet, something UK authorities explicitly stopped short of doing.

Malware command-and-control (C2) tracking site Abuse.ch listed a variety of live Emotet C2 servers at the time of writing, painting a very different picture to the one seen immediately after January's takedown raids.

Callum Roxan, F-Secure's head of threat intelligence, linked Emotet's Lazarus-style rise from the grave to TrickBot, a superficially similar banking trojan (an alleged developer of which was arrested in South Korea earlier this year).

"Emotet's re-emergence is a notable event due to the prevalence of this malware family historically. There are indications that Emotet was initially being deployed by TrickBot and has since started sending out phishing emails as well," said Roxan.

Meanwhile, Dr Süleyman Özarslan, co-founder of red-teaming firm Picus Security, compared it to "seeing the ghost of Christmas Past," and opined that Emotet might be gearing up to take advantage of the imminent holiday season.

"Phishing has always been the primary method used to distribute Emotet and in 2018 festive emails were used as a lure to trick victim's into successfully downloading malicious Word documents disguised as Christmas cards," said Dr Özarslan.

An early technical analysis of the latest Emotet payloads (complete with IOCs) was published in the small hours of Monday by Germany-based infosec firm G DATA, which observed that a recent sample is now using HTTPS with a self-signed certificate to encrypt its C2 traffic. The original Emotet ran over unencrypted HTTP.

"As per the famous duck-typing, we conclude so far: smells like Emotet, looks like Emotet, behaves like Emotet – seems to be Emotet," concluded the firm.

As for what to do about its return? Digital Shadows threat intelligence analyst Stefano de Blasi blogged: "Security teams should follow basic cyber security hygiene practices to ensure adequate protection much in the same way as other malware variants."

While an Emotet infection is no laughing matter, preventing one is just a matter of doing the basics right. Disabling auto-running of macros in Microsoft Office files won't hurt either. ®

Narrower topics


Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022