Refreshed from its holiday, Emotet has gone phishing

Emotet is back. After another months-long lull since a spate of attacks in November 2022, the notorious malware operation that has already survived a law enforcement takedown and various periods of inactivity began sending out malicious emails on Tuesday morning.

Researchers with cybersecurity firms Codefense and Cryptolaemus, which track Emotet activity, both reported a sudden startup in the spamming from the botnet. And Palo Alto Networks' Unit 42 threat intelligence group tweeted about the new activity, with the researchers saying they had "also seen new #Emotet #malspam and the associated malware (inflated Word docs and inflated Emotet Dll files)."

It's unknown why the operation has started up now after three months of no activity, or how long it will last – the previous spamming in November 2022 lasted two weeks before everything stopped, and even that was preceded by three months of quiet.

However, Emotet's return has generated a lot of discussion in the cybersecurity world about malware that less than a year ago was ranked by Check Point as the world's top cyberthreat.

"We are seeing [Emotet's] Red Dawn templates that are very large coming in at over 500MB," Cryptolaemus tweeted about the Russia-linked malware operation. "Currently seeing a decent flow of spam … Get ready because here comes fat docs from Ivan!"

An evolving threat

Emotet started life almost a decade ago as a banking trojan, but it soon evolved into a malware delivered through spear-phishing campaigns, including emails that contain malicious Microsoft Word and Excel attachments. In January 2021, law enforcement from the US, UK, Europe, and Ukraine took apart the operation's infrastructure, but the group resurfaced 10 months later.

"The malware and actors resumed operations with a vengeance and rose back up to become one of the top malware families used in phishing attacks," cybersecurity outfit AttackIQ wrote in a report last month.

One of Emotet's attributes has been its flexibility in attachment types used to evade detection signatures, according to AttackIQ.

Codefense writes that the malicious emails being sent this week appear to be replying to email chains that already exist, with ZIP files that are not password-protected, and attempt to entice potential victims to open them by posing as financial documents or invoices.

The ZIP files contain an Office document with macros that, once opened, prompts the victim to "Enable Content." Doing this will let the malicious macros run and download an Emotet DLL from another site and execute it on the machine.

• Acer confirms server intrusion after miscreant offers 160GB cache of stolen files
• DoppelPaymer ransomware suspects cuffed, alleged ringleaders escape
• Dish: Someone snatched our data, if you're wondering why our IT systems went down
• News Corp outfoxed by IT intruders for years

In the past, once malware was running on the system, it was known – sometimes after waiting for a period of time – to steal credentials and personal information and download other malicious code. In November, there were indications it was delivering the IcedID malware dropper and Bumblebee loader.

According to AttackIQ, Emotet also acts as malware-as-a-service, selling access to compromised systems to other miscreants, who would then load their own malware via the command-and-control channels created through the Emotet infections.

Patch those systems

Emotet's return also has security experts reminding enterprises of steps they should take to protect against Emotet and similar cyberthreats, including keeping systems up to date, patching vulnerabilities, and training staff to be cautious before opening an attachment.

"Traditional detection mechanisms, including those embedded in email platforms such as Office365, struggle to identify these trojans as they evolve at break-neck speed," Dror Liwer, co-founder of security company Coro, told The Register.

Liwer added that at the center of a holistic approach to cybersecurity needs to be employees: "Training, fire-drills, and simulations must be done on a regular basis, not once a year."

Will LaSala, field CTO for cybersecurity group OneSpan, called Emotet "a dangerous mobile malware variant," telling The Register that they "are designed to attack specific organizations and markets, such as the financial space. Mobile malware is ever changing and can change quickly and be redeployed to attack new verticals in a moment's notice."

An interesting point on the latest Emotet campaign is that it looks to take advantage of macros in the malicious Microsoft documents. However, Microsoft last year began blocking Visual Basic for Application (VBA) macros by default in Word, Excel, and other files downloaded from the internet to close a popular avenue for threat groups. Now users who want to open such a file are greeted by a warning about the risk of doing so.

The move forced miscreants to shift their strategies, targeting other tools like Excel DLL add-ins, which Microsoft also has begun to block from the internet. ®