Emotet Returns for Christmas With a New Bag of Tricks

  • Emotet has received a refresh in its infrastructure and some new obfuscation tricks, returning to the wild.
  • The distribution involves emails of varying themes, all carrying a password-protected ZIP attachment.
  • People are advised not to download attachments and to avoid enabling content on MS Office.

The persistent botnet known as “Emotet” has updated its payloads and distribution channels and is back online for the holidays. Researchers from Cofense warn about the new targeting, tactics, and the signs of the Emotet activity, which had dropped down to zero between October and November.

From the perspective of the malware’s abilities, these revolve around the same info-stealing stuff like credential harvesting from browsers, email content exfiltration, and the abuse of the victim’s contacts list for further distribution.

According to Cofense, the latest email themes used by Emotet actors are relevant to invoices, payments, holiday gift cards, etc. However, due to the wide-scope targeting of the botnet, there are quite a few email themes used in the wild, as well as different languages. What is common in all of these is the presence of a password-protected ZIP file attachment, which contains a macro-ridden Microsoft Office document.

Source: Cofense

One key difference of the new document compared to earlier versions is that once the victim “enables content” and the macro runs, an error dialog appears saying that “Word experienced an error trying to open the file.” This is meant to help in keeping the infection secret, as the victim may falsely believe that nothing was executed after all. In reality, though, Emotet is already running in the background.

Source: Cofense

To evade detection from AV tools, the new strain is using the Windows built-in “rundll32.exe” for its initialization, whereas previously, it used a standalone executable. This is not a strong move, but it certainly reduces the chances of detection, even if slightly. Finally, in regards to the C2 communications, the plaintext data approach was abandoned for using binary data, adding some form of basic obfuscation to protect against unsophisticated network security solutions.

The secondary payloads remain TrickBot, Qakbot, and Zloader, with the first one noticed in the majority of the most recent cases. All in all, Emotet’s authors have made some effort to upgrade the arrant botnet and increase its chances of success. Still, if you’re careful and use good enough AV and internet security solutions, you have nothing to fear. Just don’t open attachments that come via unsolicited communications and don’t enable content on your MS Office suite.

REVIEW OVERVIEW

Latest

Indian Banks and Finance Companies Targeted by Multi-Staged JSOutProx RAT Malware

Indian banks and financial institutions are being targeted by a multi-tier JSOutProx RAT that acts in two stages.The malware uses spear-phishing emails...

Mega Deletes 144,000+ User Accounts for Repeated Copyright Infringement

Mega has changed its policies and terminated over 144,000 accounts for repeated copyright infringement violations.The company says flagged data is taken down...

YouTube Creators Targeted With Phishing Scams Based on Cookie Theft Malware

Google discoverd a new Cookie Theft-based phishing scam that targeted channels belonging to YouTube creators.Actors were sending phishing emails and hijacking channels...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari