Dangerous emotet botnet resumes email activity
by Tina Siering
The return of Emotet 2023
Successful compromises by the notorious Emotet malware are occurring again. After several months of inactivity, the botnet resumed its email activity on 07.03.2023. Some IT security experts called the malware the most dangerous malware in the world. In fact, the damage caused in the past was enormous. Now the malware repeatedly exploits weaknesses in Microsoft Office - the current spread is via emails with malicious Microsoft Word and Excel attachments.
On 07/03/2023, cybersecurity firm Cofense and Emotet tracking group Cryptolaemus reported that the malware is active again, sending infected emails with attached ZIP files that are not password protected. The ZIP attachments contain Word documents up to 500 MB in size, which are said to make it difficult for AV solutions to successfully scan and detect the malware.
The attached files are disguised as invoice documents. In fact, MS Office documents contain malicious macros, which in turn download and execute the Emotet DLL. The Word documents use Emotet's "Red Dawn" document template. This prompts the user to activate the content of the document so that it is displayed correctly.
The malware is suspected to be used to end-use victims' email and contact information for future Emotet attacks. It could also be used to inject additional payloads such as Cobalt Strike or other malware components that usually lead to ransomware attacks. At present, the attack volume still seems to be low. Presumably, at this (early) stage, the attackers are concerted on collecting new credentials and contacts.
After downloading, Emotet is saved in a randomly named folder under %LocalAppData% and launched with the file regsvr32.exe for further command-and-control server communication. This is used to extend the attack privileges of the threat actors and further propagate in the infiltrated network.
Default macro deactivation by Microsoft could affect spreading
Emotet currently appears to be building a new botnet. However, it can be assumed that the method described may not be as successful as past waves of attacks. The reason is a Microsoft update in July 2022: Since then, VBA macros from the internet are blocked and deactivated by default in Office.
Because of this update, users who try to open an emotet document are warned that the macros are disabled because the source of the file is not trustworthy. Most recipients of Emotet emails will thus probably be protected from activating macros by mistake, unless it is specifically attempted. Nevertheless, one should definitely remain vigilant: the threat actors could use other file formats for the malicious e-mail attachments in case of "supposed failure".
It is still unclear how long the current wave of attacks will last. While Emotet was considered the most widespread malware in the past, its spread has gradually slowed, with the last spam campaign occurring in November 2022 and lasting just over 2 weeks.
Allgeier secion customers with an active Managed Service contract for Active Cyber Defense are of course informed separately about malicious communications on their systems.
Update March 20th, 2023:
The Emotet malware is now also being spread via Microsoft OneNote email attachments in order to circumvent Microsoft's security restrictions! The switch to this method of distribution is most likely due to Microsoft's success in increasing the use of macros to block the original tactic.