Emotet malware returns in high-volume email campaign

Emotet malware is back after a four-month hiatus in a high-volume malicious email campaign. The campaign contains several stark differences that the researchers believe may reflect new operators or the management behind the malware.

Since early November, researchers from Cisco Talos and Proofpoint have observed that the malware is being distributed daily through hundreds of thousands of malicious email campaigns, which continue to target organizations in the United States as well as in other countries. other countries. Emotet has steadily adopted various new tactics after returning in 2021, nearly ten months after law enforcement disrupted its infrastructure as part of a coordinated international operation.

“Proofpoint expects the player to continue to evolve, with potential for increased email volumes, more geographies targeted, and new variants or techniques of attached or related threats,” said Pim Trouerbach and Axel F, researchers at Proofpoint, in a Wednesday analysis. “Additionally, given the changes seen in the Emotet binary, it is likely that it will also continue to adapt.”

The November campaigns bear several similarities to the Emotet attacks last seen in July. For example, malicious emails used in attacks continue to rely primarily on generic decoys, including IRS-themed ones, as well as thread hijacking techniques and language localization to deceive targets. However, several changes have also been made to Emotet and its payloads, including mods, loader, and packer.

While campaign emails contain Excel attachments, as previously seen in Emotet attacks, these Excel files now come with instructions that allow targets to copy the file to a Microsoft Office template location and run it. from there. For threat actors, this tactic removes the headache of convincing users to “enable macros”, but the extra step adds further complexity to the attack as the user must have administrative privileges. . The researchers said it is currently unclear how effective this technique is.

“This is a trusted location and opening a document located in this folder will cause the macros to run immediately without any warning or user interaction,” the researchers said. “However, when moving a file to a template location, the operating system asks users to confirm and that administrator permissions are required to perform such a move.”

“Proofpoint expects the player to continue to evolve, with the potential for increased email volumes, more geographies targeted, and new attached or related threat variants or techniques.”

Changes to the Emotet loader itself include new commands in addition to existing ones for updating the bot and loading modules and executables. Emotet now supports commands to load the executable via regsvr.exe and invoke rundll32.exe with a randomly named DLL and PluginInit export.

Additionally, “one of the biggest changes to the decompressed loader itself was the reimplementation of the communication loop,” the researchers said. “The old version used a sleep to determine how often requests were made to C2 servers. The new version uses the Windows API CreateTimerQueueEx. This API takes a callback function which is called after an initial duration and then after a period defined in a loop.

After the infection, Emotet also started dropping a new variant of the known IcedID loader. This new version omits previous IcedID typical features for system data exfiltration, leading researchers to believe that the loader is deployed to already infected machines where there is no need to verify a system profile.

The new variant also added new commands to the existing ones to get stored browser credentials, browser cookies, running processes, etc. These new commands include the ability to send internal IcedID logs, read and search files, and send content to command and control (C2), and may indicate higher priority for bots IcedID that run on Emotet machines, the researchers said.

IcedID has previously been used as an Emotet infection tracking payload, however, the researchers said the addition of these commands could indicate a change in ownership or a stronger relationship between Emotet and IcedID. Overall, the return of the TA542 threat group behind Emotet, in conjunction with the delivery of IcedID, “is concerning” and in many cases these infections can lead to ransomware, the researchers said.

“Emotet dropping IcedID marks Emotet as fully functional again, by acting as a delivery network for other malware families. Emotet has not demonstrated full functionality and consistent tracking payload delivery (this n is not Cobalt Strike) since 2021, when he was observed distributing The Trick and Qbot,” the researchers said.

Comments are closed.