“Hundreds of thousands of emails per day” have been sent since early November 2022, enterprise security company Proofpoint said last week, adding, “the new activity suggests Emotet is returning to its full functionality acting as a delivery network for major malware families.”
Among the primary countries targeted are the U.S., the U.K., Japan, Germany, Italy, France, Spain, Mexico, and Brazil.
The Emotet-related activity was last observed in July 2022, although sporadic infections have been reported since then. In mid-October, ESET revealed that Emotet may be readying for a new wave of attacks, pointing out updates to its “systeminfo” module.
The malware, which is attributed to a threat actor known as Mummy Spider (aka Gold Crestwood or TA542), staged a revival of sorts late last year after its infrastructure was dismantled during a coordinated law enforcement operation in January 2021.
Europol called Emotet the “world’s most dangerous malware” for its ability to act as a “primary door opener for computer systems” to deploy next-stage binaries that facilitate data theft and ransomware. It started off in 2014 as a banking trojan before evolving into a botnet.
Infection chains involving the malware are known to employ generic lures as well as the technique of email thread hijacking to lure recipients into opening macro-enabled Excel attachments.
“Following Microsoft’s recent announcement that it would begin disabling macros by default in Office documents downloaded from the internet, many malware families have begun migrating away from Office macros to other delivery mechanisms like ISO and LNK files,” Cisco Talos said earlier this month.
“Therefore, it is interesting to note that this new campaign of Emotet is using its old method of distributing malicious Microsoft Office documents (maldocs) via email-based phishing.
An alternative method urges potential victims to copy the file to a Microsoft Office Template location – a trusted location – and launch the lure document from there instead of having to explicitly enable macros to activate the kill-chain.
The renewed activity has also been accompanied by changes to the Emotet loader component, a reimplementation of the C2 communications using the Windows Timer Queue API, addition of new commands, and updates to the packer to resist reverse engineering.
One of the follow-on payloads distributed through Emotet is a brand new variant of the IcedID loader, which receives commands to read and send file contents to a remote server, in addition to executing other backdoor instructions that allow it to extract web browser data.
The use of IcedID is concerning as it’s likely a precursor for ransomware, the researchers pointed out. Another malware dropped via Emotet is Bumblebee, according to Palo Alto Networks Unit 42.
“Overall, these modifications made to the client indicate the developers are trying to deter researchers and reduce the number of fake or captive bots that exist within the botnet,” researchers Pim Trouerbach and Axel F said.
“Emotet has not demonstrated full functionality and consistent follow-on payload delivery (that’s not Cobalt Strike) since 2021, when it was observed distributing The Trick and Qbot.”