The Emotet malware operation is again spamming malicious emails as of Tuesday morning after a three-month break, rebuilding its network and infecting devices worldwide.
Emotet is a notorious malware distributed through email containing malicious Microsoft Word and Excel document attachments. When users open these documents and macros are enabled, the Emotet DLL will be downloaded and loaded into memory.
Once Emotet is loaded, the malware will sit quietly, waiting for instructions from a remote command and control server.
Eventually, the malware will steal victims’ emails and contacts for use in future Emotet campaigns or download additional payloads such as Cobalt Strike or other malware that commonly leads to ransomware attacks.
While Emotet has been considered the most distributed malware in the past, it has gradually slowed down, with its last spam operation seen in November 2022. However, even then, the spamming only lasted two weeks.
Emotet returns in 2023
Instead of using reply-chain emails like in the previous campaign, the threat actors are utilizing emails that pretend to be invoices, as shown below.
Attached to these emails are ZIP archives containing inflated Word documents that are over 500 MB in size. They are swollen to make it harder for antivirus solutions to scan them and detect them as malicious.
These Microsoft Word documents use Emotet’s ‘Red Dawn‘ document template, prompting users to enable content on the document to see it correctly.
These documents contain macros that will download the Emotet loader as a DLL from compromised sites, many of which are hacked WordPress blogs.
When downloaded, Emotet will be saved to a random-named folder under %LocalAppData% and launched using regsvr32.exe.
Like the Word document, the Emotet DLL has been swollen to 526MB to hinder the ability to detect it as malicious by antivirus software.
This evasion technique shows success, as illustrated in a VirusTotal scan where the malware is only detected by one security vendor out of 64 engines, with that vendor only detecting that it as ‘Malware.SwollenFile’.
Once running, the malware will run in the background, awaiting commands, which will likely install further payloads on the device.
The payloads allow other threat actors to remotely access the device, which is then used to spread further in the compromised network.
These attacks commonly lead to data theft and full-blown ransomware attacks on breached networks.
Recent Microsoft changes save the day
While Emotet is rebuilding its network, the current method may not have much success after recent changes by Microsoft.
In July 2022, Microsoft finally disabled macros by default in Microsoft Office documents downloaded from the Internet.
Due to this change, users who open an Emotet document will be greeted with a message stating that the macros are disabled because the source of the file is not trusted.
For most users receiving Emotet emails, this feature will likely protect them from mistakenly enabling macros unless they make a concerted effort to enable them.
This change has led other threat actors to move away from Word and Excel documents and abuse other file formats, such as Microsoft OneNote, ISO images, and JS files.
It would not be surprising to see Emotet also move to different attachment types after this initial campaign does not go as intended.