Emotet malware is back from the dead again after 5 month break

Emotet is renewing operations again and starts blasting malware

Emotet operations renewedEmotet creators came back to their operations after a break

The malicious program operators have been silent for five months and have now again started to spam emails with malicious programs after the vacation. Emotet is the malware typically spread using phishing email campaigns that rely on Word or Excel documents with malicious pieces.[1]

These documents have malicious macros[2] that get enabled and download the malicious program into the memory of the machine. The loaded malicious program can look for and steal emails to use these credentials for future spam campaigns and drop additional malware like Cobalt Strike, other trojans, and viruses that trigger ransomware[3] attacks on these machines.

The particular Emotet was always considered the most distributed and the most active threat of its kind. However, actors stopped these operations for a while on June 13th, 2022. Activities stopped for a while, and the malware got silent. Recent reports[4] showed that Emotet has been spamming users worldwide with malware again.

Emotet malware was always known as the threat that installs other viruses like TrickBot or Cobalt Strike beacons. These ones are commonly used for initial access by ransomware operators that spread laterally on targeted networks. This way data can be stolen, devices encrypted, and criminals get money from victims or can use stolen data for other campaigns.

Operations came alive again: spamming users across the world

Researchers stated that new operation campaigns rely on the usage of emails stolen from email reply chains. This way, Emotet can distribute malicious Excel attachments to further infect machines with malware. These campaigns target various users in the world under different languages and file names with email attachments that pose as invoices, scans, and electronic forms, using other luring methods.

With the new campaign, Emotet also introduces the Excel attachment template that contains the particular guide to bypass Protected View. Once the file is downloaded from the email as an attachment, Microsoft will add the special mark-of-the-web flag to the file. Opening the file with the Protected View prevents malicious macros from getting executed.[5]

Emotet Excel attachments instruct users to copy the file into trusted folders named templates, and doing so bypasses the Protected View. It works with files containing a Microsoft Office Mark-of-the-Web flag. The system should show a warning about copying to the Templates folder, but users most likely ignore that and click the Continue button, which ensures the procedure.

The ever-evolving malware

Emotet malware and other threats that are popular for spreading silently and using malicious macros are commonly focusing on spreading the ransomware threats around. Infection of this type is becoming more dangerous and more popular among cybercriminals these days.

The involvement of payments and cryptocurrency funds that can get obtained from victims motivate people behind these infections. Many reports show that this year 2022, had been the year of ransomware:

It’s no secret that these threat actors are constantly upping their game with new and improved tactics designed to evade traditional cyber defenses.

Emotet malware is one of the threats like Agent Tesla, NanoCore, and others that use highly obfuscated VBA macros and manages to avoid detection. These threat actors can change their operations and tactics to evolve with AV detection, so malware campaigns get to evolve, and organizations, as well as users, need to improve their malware security solutions.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions