Emotet Returns for Christmas With a New Bag of Tricks

  • Emotet has received a refresh in its infrastructure and some new obfuscation tricks, returning to the wild.
  • The distribution involves emails of varying themes, all carrying a password-protected ZIP attachment.
  • People are advised not to download attachments and to avoid enabling content on MS Office.

The persistent botnet known as “Emotet” has updated its payloads and distribution channels and is back online for the holidays. Researchers from Cofense warn about the new targeting, tactics, and the signs of the Emotet activity, which had dropped down to zero between October and November.

From the perspective of the malware’s abilities, these revolve around the same info-stealing stuff like credential harvesting from browsers, email content exfiltration, and the abuse of the victim’s contacts list for further distribution.

According to Cofense, the latest email themes used by Emotet actors are relevant to invoices, payments, holiday gift cards, etc. However, due to the wide-scope targeting of the botnet, there are quite a few email themes used in the wild, as well as different languages. What is common in all of these is the presence of a password-protected ZIP file attachment, which contains a macro-ridden Microsoft Office document.

Source: Cofense

One key difference of the new document compared to earlier versions is that once the victim “enables content” and the macro runs, an error dialog appears saying that “Word experienced an error trying to open the file.” This is meant to help in keeping the infection secret, as the victim may falsely believe that nothing was executed after all. In reality, though, Emotet is already running in the background.

Source: Cofense

To evade detection from AV tools, the new strain is using the Windows built-in “rundll32.exe” for its initialization, whereas previously, it used a standalone executable. This is not a strong move, but it certainly reduces the chances of detection, even if slightly. Finally, in regards to the C2 communications, the plaintext data approach was abandoned for using binary data, adding some form of basic obfuscation to protect against unsophisticated network security solutions.

The secondary payloads remain TrickBot, Qakbot, and Zloader, with the first one noticed in the majority of the most recent cases. All in all, Emotet’s authors have made some effort to upgrade the arrant botnet and increase its chances of success. Still, if you’re careful and use good enough AV and internet security solutions, you have nothing to fear. Just don’t open attachments that come via unsolicited communications and don’t enable content on your MS Office suite.

REVIEW OVERVIEW

Latest

M1 MacBook Users Report Their Screens Cracking and Nobody Knows Why

A growing number of M1 MacBook owners are reporting mysterious cracks on the laptop’s screen.The users claim they never mishandled or dropped...

Scientists Prove Tricking Sophisticated Voice Authentication Systems Is Feasible

Researchers proved that state-of-the-art voice verification systems can be fooled using existing tools.All that would be needed is a set of machine-learning...

DISH and Sling TV Filed Lawsuits Targeting 4 Sports Streaming Pirate Sites

DISH and Sling TV filed a lawsuit against 'SportsBay', 'Freefeds', and 'live NBA' streaming domains.These platforms are redistributing the broadcasters’ sports channels...