Emotet Returns With New Tricks Up Its SleeveBotnet 'Switching Things Up,' Testing New Attack Behaviors, Proofpoint Says
The Emotet botnet, which was disrupted by law enforcement actions in January 2021, has been making its way back into the threat landscape. Cybersecurity researchers have now recorded a brief departure from its typical behavior, indicating that the group is likely testing new attack techniques.
"After months of consistent activity, Emotet is switching things up. It is likely the threat actor is testing new behaviors on a small scale before delivering them to victims more broadly, or to distribute via new TTPs alongside its existing high-volume campaigns," says Sherrod DeGrippo, vice president, threat research and detection, at cybersecurity company Proofpoint.
In a report shared with Information Security Media Group, Proofpoint researchers attribute the latest Emotet activity to threat group TA542. Proofpoint says it has been tracking this criminal entity, which has been linked to the core development of Emotet, since 2014. This was the same year that the group's signature payload Emotet, also known as Geodo, first appeared as a banking Trojan, according to Proofpoint. TA542 is currently using the latest version of the malware to launch widespread email campaigns that affect North America, Central America, South America, Europe, Asia and Australia.
Europol has called Emotet "one of the most professional and long-lasting cybercrime services." The malware has caused hundreds of millions of dollars in damages, according to a U.S. Justice Department statement from January 2021.
Emotet Back From 'Spring Break'
In November 2021, 10 months after its disappearance from the threat landscape, several cybersecurity firms and researchers spotted it again (see: Researchers Spot Comeback of the Emotet Botnet).
Researchers at Proofpoint observed a reemergence of this notorious botnet between April 4 and April 19, 2022, according to the report.
"The group associated with Emotet, TA542, has targeted thousands of customers with tens of thousands of messages in multiple geographic regions. In some cases, the message volume reaches over one million per campaign," the report says.
Recently, the researchers identified a low-volume Emotet activity that drastically differed from typical Emotet threat behaviors. The activity occurred while Emotet was on a "spring break," not conducting its typical high volume threat campaigns, they say, adding that typical activity has resumed now.
The new TTPs, however, indicate that the operator, likely TA542, is now engaged in more "selective" and "limited" attacks in parallel to the typical massive scale email campaigns, Proofpoint says.
Last week, cybersecurity firm Kaspersky reported a significant spike in activity from a malicious spam email campaign spreading Emotet and Qbot malware, specifically targeting corporate users.
"The number of such malicious emails grew from around 3,000 in February 2022 to approximately 30,000 in March. The campaign is likely connected to the increasing activity of the Emotet botnet," Kaspersky says in its report. "Malicious emails have been detected in the English, French, Hungarian, Italian, Norwegian, Polish, Russian, Slovenian and Spanish languages."
Proofpoint researchers have observed Emotet being distributed via emails. The sender IDs of these emails appear to have been compromised, they say.
"The emails were not sent by the Emotet spam module. The subjects were simple and contained one word such as 'salary.' The email bodies contained only OneDrive URLs and no other content. The OneDrive URLs hosted zip files containing Microsoft Excel Add-in (XLL) files," the researchers say.
Researchers found that the zip archives and XLL files used the same lures as the email subjects, such as Salary_new.zip, which contained four copies of the same XLL file with names such as "Salary_and_bonuses-04.01.2022.xll." These XLL files, when executed, drop and run Emotet, leveraging the Epoch 4 botnet, the report says.
Prior to Emotet's takedown, security experts say three different Emotet botnets - Epoch 1, 2 and 3 - were being used to distribute and control the malware. Since Emotet's reappearance around Nov. 14, 2021, researchers have been tracking two new Emotet botnets: Epoch 4 and 5 (see: Emotet Tactic May Presage More Rapid Ransomware Infections).
This newly identified activity differs from previously observed Emotet campaigns, Proofpoint researchers say. The variations include:
- The low-volume nature of the activity: Researchers say Emotet is known for distributing high-volume email campaigns to many customers globally, with some campaigns in recent weeks hitting 1 million messages total.
- The use of OneDrive URLs: So far, Emotet has delivered Microsoft Office attachments or URLs, hosted on compromised sites, linking to Office files.
- The use of XLL files: Earlier, Emotet was known to use Microsoft Excel or Word documents containing VBA or XL4 macros. The latest campaign, however, uses XLLs, which are a type of dynamic link library, or DLL, file for Excel and are designed to increase the functionality of the application.
Doing Away With Macros
Proofpoint says that TA543 is looking for new techniques that don't rely on macro-enabled documents given that Microsoft is making it difficult for threat actors to use it as an infection vector.
In February, Microsoft announced that users could no longer enable content with the click of a button for macros in files obtained from the internet. In addition, a notification bar would warn users about the external file and provide more details.
Microsoft said that the move would only affect devices running Windows and only affects the following applications: Access, Excel, PowerPoint, Visio and Word. The changes were expected to begin rolling out in Version 2203, starting with Current Channel, or Preview, in early April 2022.
Microsoft also had plans to make this change to Office LTSC, Office 2021, Office 2019, Office 2016 and Office 2013.
This follows Microsoft's announcement in 2021 about disabling XL4 macros. Typically, threat actors that use macro-enabled attachments, including TA542, rely on social engineering to convince a recipient the content is trustworthy, and enabling macros is necessary to view it, Proofpoint's report shows.
Proofpoint's DeGrippo says organizations should be aware of the new techniques and ensure they are implementing appropriate defenses.