Dangerous emotet botnet resumes email activity
by Tina Siering
The return of Emotet 2023
Successful compromises by the notorious Emotet malware are occurring again. After several months of inactivity, the botnet resumed its email activity on 07.03.2023. Some IT security experts called the malware the most dangerous malware in the world. In fact, the damage caused in the past was enormous. Now the malware repeatedly exploits weaknesses in Microsoft Office - the current spread is via emails with malicious Microsoft Word and Excel attachments.
On 07/03/2023, cybersecurity firm Cofense and Emotet tracking group Cryptolaemus reported that the malware is active again, sending infected emails with attached ZIP files that are not password protected. The ZIP attachments contain Word documents up to 500 MB in size, which are said to make it difficult for AV solutions to successfully scan and detect the malware.
The attached files are disguised as invoice documents. In fact, MS Office documents contain malicious macros, which in turn download and execute the Emotet DLL. The Word documents use Emotet's "Red Dawn" document template. This prompts the user to activate the content of the document so that it is displayed correctly.
The malware is suspected to be used to end-use victims' email and contact information for future Emotet attacks. It could also be used to inject additional payloads such as Cobalt Strike or other malware components that usually lead to ransomware attacks. At present, the attack volume still seems to be low. Presumably, at this (early) stage, the attackers are concerted on collecting new credentials and contacts.
After downloading, Emotet is saved in a randomly named folder under %LocalAppData% and launched with the file regsvr32.exe for further command-and-control server communication. This is used to extend the attack privileges of the threat actors and further propagate in the infiltrated network.
Default macro deactivation by Microsoft could affect spreading
Emotet currently appears to be building a new botnet. However, it can be assumed that the method described may not be as successful as past waves of attacks. The reason is a Microsoft update in July 2022: Since then, VBA macros from the internet are blocked and deactivated by default in Office.
Because of this update, users who try to open an emotet document are warned that the macros are disabled because the source of the file is not trustworthy. Most recipients of Emotet emails will thus probably be protected from activating macros by mistake, unless it is specifically attempted. Nevertheless, one should definitely remain vigilant: the threat actors could use other file formats for the malicious e-mail attachments in case of "supposed failure".
It is still unclear how long the current wave of attacks will last. While Emotet was considered the most widespread malware in the past, its spread has gradually slowed, with the last spam campaign occurring in November 2022 and lasting just over 2 weeks.
Allgeier secion customers with an active Managed Service contract for Active Cyber Defense are of course informed separately about malicious communications on their systems.
Update March 20th, 2023:
Warning:
The Emotet malware is now also being spread via Microsoft OneNote email attachments in order to circumvent Microsoft's security restrictions! The switch to this method of distribution is most likely due to Microsoft's success in increasing the use of macros to block the original tactic.
prevent.
Need help upgrading your IT security for 2023? Contact us!
Related articles
For several days now, there has been a strong accumulation of successful compromises by the "QakBot" malware (also known as "QBot" and "QuackBot") worldwide. We have also already identified successful attacks as part of our ACD monitoring. After infection, criminals can gain access to online banking accounts, leak user data, and reload further malware. As one measure to mitigate the risk, we urgently recommend adjustments to the Group Policy Objects (GPO).
Cybercriminals are true masters at constantly adapting their attack mechanisms to effective IT security measures. New tools and iterative changes to existing malware are used to mercilessly exploit security vulnerabilities. Among the numerous threats, ransomware stands out as one of the biggest. More and more companies have to face extortion Trojans. A completely new threat called LockFile now relies on intermittent encryption. LockFile not only encrypts much faster than previous ransomware, but also bypasses security solutions that work reliably. This article shows why criminals are increasingly relying on intermittent encryption and how companies should react to the new threat.
Read more … New ransomware trend: Why criminals increasingly rely on intermittent encryption
Due to the war in Ukraine, secion provides an assessment of the threat situation for companies and examines the question of whether increased Russian attacks on companies in Germany, Austria and Switzerland can be identified. There is currently no evidence of an acute increase in the threat posed by Russian state actors in Western Europe, but there is increased public awareness of these cyberattacks. In addition, "third-party actors" are creating a new dynamic.