Emotet malware returns after a three-month break

The Emotet malware operation is again spamming malicious emails as of Tuesday morning after a three-month break, rebuilding its network and infecting devices worldwide.

Emotet is a notorious malware distributed through email containing malicious Microsoft Word and Excel document attachments. When users open these documents and macros are enabled, the Emotet DLL will be downloaded and loaded into memory.

Once Emotet is loaded, the malware will sit quietly, waiting for instructions from a remote command and control server.

Eventually, the malware will steal victims’ emails and contacts for use in future Emotet campaigns or download additional payloads such as Cobalt Strike or other malware that commonly leads to ransomware attacks.

While Emotet has been considered the most distributed malware in the past, it has gradually slowed down, with its last spam operation seen in November 2022. However, even then, the spamming only lasted two weeks.

Emotet returns in 2023

Instead of using reply-chain emails like in the previous campaign, the threat actors are utilizing emails that pretend to be invoices, as shown below.

Emotet phishing email
Emotet phishing email
Source: Cofense

Attached to these emails are ZIP archives containing inflated Word documents that are over 500 MB in size. They are swollen to make it harder for antivirus solutions to scan them and detect them as malicious.

These Microsoft Word documents use Emotet’s ‘Red Dawn‘ document template, prompting users to enable content on the document to see it correctly.

Malicious Microsoft Word document using the Red Dawn templateMalicious Microsoft Word document using the Red Dawn template
Source: BleepingComputer

These documents contain macros that will download the Emotet loader as a DLL from compromised sites, many of which are hacked WordPress blogs.

A mess of malicious macros in an Emotet Word documentmalicious macros embedded in an Emotet Word document

Source: BleepingComputer

When downloaded, Emotet will be saved to a random-named folder under %LocalAppData% and launched using regsvr32.exe.

Emotet loader launched by Regsvr32.exeEmotet loader launched by Regsvr32.exe
Source: BleepingComputer

Like the Word document, the Emotet DLL has been swollen to 526MB to hinder the ability to detect it as malicious by antivirus software.

This evasion technique shows success, as illustrated in a VirusTotal scan where the malware is only detected by one security vendor out of 64 engines, with that vendor only detecting that it  as ‘Malware.SwollenFile’.

Large Emotet DLL to evade detectionSwollen Emotet DLL to evade detection
Source: BleepingComputer

Once running, the malware will run in the background, awaiting commands, which will likely install further payloads on the device.

The payloads allow other threat actors to remotely access the device, which is then used to spread further in the compromised network.

These attacks commonly lead to data theft and full-blown ransomware attacks on breached networks.

Recent Microsoft changes save the day

While Emotet is rebuilding its network, the current method may not have much success after recent changes by Microsoft.

In July 2022, Microsoft finally disabled macros by default in Microsoft Office documents downloaded from the Internet.

Due to this change, users who open an Emotet document will be greeted with a message stating that the macros are disabled because the source of the file is not trusted.

Macros disabled by default in Microsoft Office
Source: BleepingComputer

For most users receiving Emotet emails, this feature will likely protect them from mistakenly enabling macros unless they make a concerted effort to enable them.

This change has led other threat actors to move away from Word and Excel documents and abuse other file formats, such as Microsoft OneNote, ISO images, and JS files.

It would not be surprising to see Emotet also move to different attachment types after this initial campaign does not go as intended.

Source: BleepingComputer