Emotet Is Back Again!Malware Reemerges With Improved Evasion and Appreciation of 19th-Century Literature
Emotet malware is again active. Security researchers marked the latest sighting of the Microsoft Office-loving Trojan in what's becoming a cycle of reemergence and hibernation.
Before the newest wave of malicious Emotet emails began earlier this month, researchers from Cofense say the malware was active for a two-week run in November. The latest batch of malicious emails contains a zipped Office document embedded with macros and a social engineering prompt coaxing users to blow through the security warnings Microsoft throws up to prevent infections from downloaded files.
Trend Micro says Emotet has a new command-and-control infrastructure and new evasion techniques. Deep Instinct says an element of the evasion is pasting a chunk of the 19th-century American novel "Moby Dick" into the malicious Word document as white text to surreptitiously bulk up the word count. "Many security tools will classify a Word document with just an image and a macro as malicious, which is true in most cases," the firm says.
Emotet also applies a trick known as binary padding or file pumping to make the malicious attachment larger than the size limitations imposed by anti-malware solutions such as sandboxes and scan engines, Trend Micro writes. In the event someone enables the malicious macro, Emotet delivers an inflated Windows DLL file that expands from 616 kilobytes to 548.1 megabytes.
Dubbed by Europol as "one of the most professional and long-lasting cybercrime services," Emotet caused hundreds of millions of dollars in damages. It began life as a banking Trojan but its primary purpose today is to serve as a gateway to ransomware deployed by threat actors reconstituted from the Conti group, said Jason Meurer, a cybersecurity researcher with Cofense, in an interview with Information Security Media Group.
A multinational law enforcement operation in 2021 disrupted the botnet but it didn't take long for Emotet to come back.
The threat group - which is tracked alternatively as TA542, Mummy Spider and Gold Crestwood - was likely behind "massive" Emotet activity in 2022 and linked to the botnet's development, Proofpoint told Information Security Media Group at the time (see: Emotet Returns With New Tricks Up Its Sleeve).
There now exists anecdotal evidence that a new operator has taken control of Emotet "who seems to be attempting to relearn how to operate it, but then also trying out some new techniques, like these new large documents that they're doing," Meurer said.
"It seems like there have been some mergers and acquisitions on the back end where we can't necessarily see exactly what's going on, but we have a pretty good idea."
Activity in Emotet at times is directly inverse to Qakbot activity, suggesting a connection between the two botnets, Meurer added.
With reporting from ISMG's David Perera in Washington, D.C.