Emotet Loader Back in Business as Holiday Season Nears
According to Proofpoint, threat actors have commenced a high-volume malspam email campaign using the Emotet malware loader since early November.
TA542, a threat group behind the Emotet botnet, has reportedly returned after a summer and autumn break. According to Proofpoint, the threat actors have commenced a high-volume malspam email campaign using the malware loader since early November.
Malicious operations using Emotet resumed this month, four months after being last seen on July 13, 2022. Proofpoint and Cisco’s threat intelligence arm, Talos Intelligence, both spotted the info stealer’s use and confirmed that tactics used in the Emotet-based malware delivery campaign more or less remain the same.
Suspending and rebooting operations seem to be a mainstay of the malware dropper. Dubbed the world’s nastiest malware by Webroot for three years in a row until 2020, Emotet was created as a banking trojan in 2014 to steal financial data. Emotet rightfully earned notoriety for information theft (passwords, contact lists, content and email attachments from browsers including Firefox, Chrome etc., and mailboxes like Outlook, Thunderbird, etc.).
It has since evolved into a trojan/malware dropper and was used by hackers to deploy second-stage ransomware, which were then used to exfiltrate data, encrypt devices, and compromise IT networks. One of the more serious operations it was involved in was the infiltration of systems and networks and the delivery of second-stage malware such as the TrickBot and QBot.
Of course, it has received several technical upgrades in 2022, but the overall technique, i.e., the reliance on Microsoft Office-based files and generic lures, remains the same. Some changes in Emotet include Microsoft Excel attachments (as opposed to Word), changes in the malware binary, and dropping IceID and Bumblebee malware loaders.
Emote malspam volumes in 2022
Emotet’s worm-like capabilities, which enable self-propagation, helped TA542 infect and impact 6% of organizations globally using the trojan by May 2022. Microsoft dented Emotet’s capabilities by disabling specific macros in Office files, which impacted April and May malspam volumes.
However, Proofpoint assessed that the present-day volumes are “comparable to historic averages. Hence, it does not appear that the Emotet botnet lost any significant spamming capability during the inactive period.” The current malspam campaign measures hundreds of thousands of emails.
Emotet Campaign Volumes Over the Years | Source: Proofpoint
Cisco Talos explained that malware families “have begun migrating away from Office macros to other delivery mechanisms like ISO and LNK files. Therefore, it is interesting to note that this new campaign of Emotet is using its old method of distributing malicious MS Office documents (maldocs) via email-based phishing.”
See More: Vietnamese Hackers Reinvent the Ducktail Malware Twice in Three Months
How Emotet lures targets
TA542 uses generic lures, including impersonating the Internal Revenue Service (IRS) to target businesses for quarterly tax-related actions. “While no other current events and holiday shopping-based lures have been observed yet, it is likely they will be used soon,” Proofpoint noted.
Emotet-laden email samples assessed by Talos contained either an XLS file attachment or a zip file, which in turn contained an XLS file. Messaging is minimal in the email body, generally consisting of a filename and password. TA542 can also disguise the email as a response to throw off unmindful users. More importantly, it localizes the email language to that of the region it is targeting.
TA542 Malspam Email With Emotet Localized by Region | Source: Proofpoint
Besides English and German, Proofpoint also observed emails using Italian, Spanish, French, Portuguese, and Japanese. Targeted users reside mostly in the U.S., U.K., Japan, Germany, Italy, France, Spain, Mexico, and Brazil.
TA542 still leveraging Office macros means it relies on additional social engineering wherein users are convinced to move the attachment to a folder where macro protection is turned off.
XLS Attachment in Emotet Malspam | Source: Cisco Talos
“The documents might look empty, but they contain hidden sheets with text in them, which is used by the VBA macro to assemble the URL from where the Emotet malware is downloaded. By simply un-hiding the sheets and copying the text to a text editor, we can see the content of these sheets,” Talos added.
Changes in Emotet
While tactical and operational elements of Emotet are similar to those previously observed, Proofpoint delineated some technical upgrades, including new commands (bot update, module loading, executable loading, etc.), a new check-in packet format, the use of a new packer, and new implementation of the communication loop using Windows API CreateTimerQueueEx.
“Emotet dropping IcedID marks Emotet as being in full functionality again, by acting as a delivery network for other malware families,” Proofpoint said. “TA542’s return coinciding with the delivery of IcedID is concerning.”
The last time Emotet exhibited full functionality wherein it consistently delivered payloads was before its infrastructure was taken down in 2021 when it primarily delivered TrickBot and Qbot.
“Overall, these modifications made to the client indicate the developers are trying to deter researchers and reduce the number of fake or captive bots that exist within the botnet. The addition of commands related to IcedID and the widespread drop of a new IcedID loader might mean a change of ownership or at least the start of a relationship between IcedID and Emotet.”
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
Image source: Shutterstock
MORE ON MALWARE
