Emotet Botnet Returns After 2-Month HiatusResearchers: Malware Revamped to Better Avoid Network Defenses
After a nearly two-month hiatus, the Emotet botnet sprung back to life this week with a fresh spamming and phishing campaign designed to spread other malware as secondary payloads.
In an alert sent Tuesday, security firm Cofense notes that the new Emotet campaign, which uses many of the same techniques as in previous campaigns, is delivering Trickbot malware.
In October, Microsoft and other security firms worked on dismantling Trickbot's infrastructure, but security researchers warned it was likely to return after a short period (see: Updated Trickbot Malware Is More Resilient ).
"The Emotet botnet is one of the most prolific senders of malicious emails when it is active, but it regularly goes dormant for weeks or months at a time,” the Cofense researchers note. “This year, one such hiatus lasted from February through to mid-July, the longest break we've seen in the last few years. Since then, we observed regular Emotet activity through the end of October, but nothing from that point until today.”
Sherrod DeGrippo, senior director of threat research and detection at security firm Proofpoint, says it was surprising to see Emotet make a comeback this week because he botnet is typically quiet around the December holiday season.
"The last campaign observed was on Oct. 30, 2020. It’s not clear why the threat actor abruptly stopped distribution in October; however, threat actors often take breaks in their distribution activities for a variety of reasons," DeGrippo says. "This doesn’t mean they have stopped working completely; it just is a pause in sending activity."
By late Tuesday, Proofpoint researchers had detected more than 100,000 Emotet-laced emails written in English, German, Spanish, Italian and other languages. The firm notes that the phishing emails use a technique called thread hijacking so the malicious messages will appear in the middle of an email thread. The malware is typically hidden in malicious Word documents, zip files or URLs.
The latest Emotet campaign starts with phishing emails, some of which leverage previous victims' stolen data so they appear more authentic. Other phishing emails use generic templates, which are then tweaked with current news or other topics to entice users to click on a malicious link, researchers say.
Cofense researchers note that the Emotet phishing emails are using a holiday theme. And they use a variety of techniques to deliver a malicious Microsoft Office document.
Tonia Dudley, strategic adviser at Cofense, says the latest trend with Emotet is the use of what appear to be password-protected files. "While we saw this in their previous campaigns, we're seeing an increase of the usage in the latest campaigns," she says.
The latest phishing emails contain malicious macro code to install Emotet, and the emails claim that this "protected" document requires users to enable macros in order to open it, according to Cofense.
In older versions of these attacks, the document would not give any visible response after the macros were enabled, which could make the victim suspicious. As part of the new campaign, the Cofense researchers note that the threat actors have now included a dialog box that says: "Word experienced an error trying to open the file."
This gives the user an explanation as to why they don't see the content immediately, and they will likely ignore the incident while Emotet runs in the background and infects the device, according to the Cofense researchers.
The researchers also note that the operators behind Emotet have tweaked its code to better avoid detection by security tools. For example, the malware had previously used a standalone executable file with a ".exe" filename, but this has been changed to a Dynamic Link Library file that is initialized using a built-in Windows program called rundll32.exe, which makes the malware more difficult to detect, according to Cofense.
"Emotet's command-and-control communication has also been changed to use binary data rather than plain text, which will likely make it more difficult to detect at the network level," Cofense says.
"Our initial analysis revealed small changes to the code and we’re continuing to explore that. Code changes are common after a significant break in sending activity,” DeGrippo notes. “This may indicate that the actor was working on improvements to their infrastructure during the break."
Emotet first appeared as a banking Trojan in 2014. Over the years, its operators, which Proofpoint identified as a group known as TA542, have adjusted the malicious code for other purposes. Now, the malware primarily works as a botnet and "dropper" delivering Trojans and other malicious code to infected devices, according to security researchers.
In October, the U.S. Cybersecurity and Infrastructure Security Agency called Emotet one of the most dangerous malware variants currently active and warned government agencies about possible attacks (see: CISA Warns of Emotet Attacks Against Government Agencies ).
Before its previous hiatus at the end of October, researchers with HP-Bromium noted that Emotet infections increased 1,200% in the third quarter of this year, compared with the second quarter (see: Emotet Attacks Continue to Soar as Botnet Spreads Globally).