Cybercrime , Fraud Management & Cybercrime , Ransomware

Emotet Is Back Again!

Malware Reemerges With Improved Evasion and Appreciation of 19th-Century Literature
Emotet Is Back Again!
An illustration from "Moby Dick" drawn by Augustus Burnham Shute for the 1892 edition of Herman Melville's classic of 19th-century American literature.

Emotet malware is again active. Security researchers marked the latest sighting of the Microsoft Office-loving Trojan in what's becoming a cycle of reemergence and hibernation.

See Also: OnDemand | Human Detection & Response: Exploring Three Security Awareness Realities

Before the newest wave of malicious Emotet emails began earlier this month, researchers from Cofense say the malware was active for a two-week run in November. The latest batch of malicious emails contains a zipped Office document embedded with macros and a social engineering prompt coaxing users to blow through the security warnings Microsoft throws up to prevent infections from downloaded files.

Trend Micro says Emotet has a new command-and-control infrastructure and new evasion techniques. Deep Instinct says an element of the evasion is pasting a chunk of the 19th-century American novel "Moby Dick" into the malicious Word document as white text to surreptitiously bulk up the word count. "Many security tools will classify a Word document with just an image and a macro as malicious, which is true in most cases," the firm says.

Emotet also applies a trick known as binary padding or file pumping to make the malicious attachment larger than the size limitations imposed by anti-malware solutions such as sandboxes and scan engines, Trend Micro writes. In the event someone enables the malicious macro, Emotet delivers an inflated Windows DLL file that expands from 616 kilobytes to 548.1 megabytes.

Dubbed by Europol as "one of the most professional and long-lasting cybercrime services," Emotet caused hundreds of millions of dollars in damages. It began life as a banking Trojan but its primary purpose today is to serve as a gateway to ransomware deployed by threat actors reconstituted from the Conti group, said Jason Meurer, a cybersecurity researcher with Cofense, in an interview with Information Security Media Group.

A multinational law enforcement operation in 2021 disrupted the botnet but it didn't take long for Emotet to come back.

The threat group - which is tracked alternatively as TA542, Mummy Spider and Gold Crestwood - was likely behind "massive" Emotet activity in 2022 and linked to the botnet's development, Proofpoint told Information Security Media Group at the time (see: Emotet Returns With New Tricks Up Its Sleeve).

There now exists anecdotal evidence that a new operator has taken control of Emotet "who seems to be attempting to relearn how to operate it, but then also trying out some new techniques, like these new large documents that they're doing," Meurer said.

"It seems like there have been some mergers and acquisitions on the back end where we can't necessarily see exactly what's going on, but we have a pretty good idea."

Activity in Emotet at times is directly inverse to Qakbot activity, suggesting a connection between the two botnets, Meurer added.

With reporting from ISMG's David Perera in Washington, D.C.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.