Image default

Emotet Malware Makes a Comeback with New Evasion Techniques

Jan 24, 2023Ravie LakshmananCyber Threat / Cyber Crime

Emotet Malware

The Emotet malware operation has continued to refine its tactics in an effort to fly under the radar, while also acting as a conduit for other dangerous malware such as Bumblebee and IcedID.

Emotet, which officially reemerged in late 2021 following a coordinated takedown of its infrastructure by authorities earlier that year, has continued to be a persistent threat that’s distributed via phishing emails.

Attributed to a cybercrime group tracked as TA542 (aka Gold Crestwood or Mummy Spider), the virus has evolved from a banking trojan to a malware distributor since its first appearance in 2014.

The malware-as-a-service (MaaS) is also modular, capable of deploying an array of proprietary and freeware components that can exfiltrate sensitive information from compromised machines and carry out other post-exploitation activities.

Two latest additions to Emotet’s module arsenal comprise an SMB spreader that’s designed to facilitate lateral movement using a list of hard-coded usernames and passwords, and a credit card stealer that targets the Chrome web browser.

Recent campaigns involving the botnet have leveraged generic lures with weaponized attachments to initiate the attack chain. But with macros becoming an obsolete method of payload distribution and initial infection, the attacks have latched on to other approaches to sneak Emotet past malware detection tools.

Emotet Malware

“With the newest wave of Emotet spam emails, the attached .XLS files have a new method for tricking users into allowing macros to download the dropper,” BlackBerry disclosed in a report published last week. “In addition to this, new Emotet variants have now moved from 32bit to 64bit, as another method for evading detection.”

The method involves instructing victims to move the decoy Microsoft Excel files to the default Office Templates folder in Windows, a location trusted by the operating system, to execute malicious macros embedded within the documents to deliver Emotet.

Put differently, the social engineering twist makes it possible to bypass Mark of the Web (MotW) protections, which load the Office files downloaded from the internet in Protected View, a read-only mode with macros and other content disabled.

The development points to Emotet’s steady attempts to retool itself and propagate other malware, such as Bumblebee and IcedID.

“With its steady evolution over the last eight-plus years, Emotet has continued to become more sophisticated in terms of evasion tactics; has added additional modules in an effort to further propagate itself, and is now spreading malware via phishing campaigns,” the Canadian cybersecurity firm said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.


Related posts

AWS vs Azure for Industrial IoT: Which solution is best for your business in 2023?

James Horns

Facebook to Pay $725 Million to settle Lawsuit Over Cambridge Analytica Data Leak

James Horns

FTC Fines Fortnite Maker Epic Games $275 Million for Violating Children’s Privacy Law

James Horns

Raccoon and Vidar Stealers Spreading via Massive Network of Fake Cracked Software

James Horns

Facebook Cracks Down on Spyware Vendors from U.S., China, Russia, Israel, and India

James Horns

Hackers Breach Okta’s GitHub Repositories, Steal Source Code

James Horns

Leave a Comment