Emotet tests new attack chain in low volume campaigns

Emotet operators are testing new attack techniques in response to Microsoft’s move to disable Visual Basic for Applications (VBA) macros by default.

The operators of the infamous Emotet botnet are testing new attack techniques in response to Microsoft’s move to disable Visual Basic for Applications (VBA) macros by default.

The threat actors are adopting the new techniques on a limited number of targets before adopting them in larger scape malspam campaigns.

Proofpoint researchers state that the operators are testing the new techniques in more selective attacks in parallel to the typical large scape malspam attacks.

“The activity occurred while Emotet was on a “spring break,” not conducting its typical high volume threat campaigns.” reads the analysis published by Proofpoint. “The threat actor has since resumed its typical activity. Proofpoint assesses that the threat group distributing Emotet is likely testing new tactics, techniques, and procedures (TTPs) on a small scale before adopting them in broader campaigns or to deploy them in parallel with the broad campaigns.”

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. The infamous banking trojan was also used to deliver other malicious code, such as Trickbot and QBot trojans, or ransomware such as Conti, ProLock, Ryuk, and Egregor.

In mid-November 2021 researchers from multiple cybersecurity firms ([Cryptolaemus], [GData], and [Advanced Intel]) reported that threat actors are using the TrickBot malware to drop an Emotet loader on infected devices. The experts tracked the campaign aimed at rebuilding the Emotet botnet using TrickBot’s infrastructure as Operation Reacharound.

In December, the Emotet malware was observed directly installing Cobalt Strike beacons to give the attackers access to the target network.

Researchers from AdvIntel believe that the return will have a significant impact on the ransomware operations in the threat landscape, likely “the largest threat ecosystem shift in 2021” and beyond due to three reasons:

1. Emotet’s unmatched continuous loader capabilities
2. The correlation between these capabilities and the demanded of the contemporary cybercrime market
3. The return of the TrickBot-Emotet-Ransomware triad resulted from the first two points.

The Emotet botnet was resurrected by its former operator, who was convinced by the Conti ransomware gang. The shutdown of the Emotet operation resulted in the lack of high-quality initial access brokers.

Qbot and TrickBot used Emotet’s service to deploy multiple ransomware strains, including Conti, DoppelPaymer, Egregor, ProLock, Ryuk, and others).

The low-volume Emotet campaign spotted by Proofpoint leverages a compromised sender’s account and the emails were not sent by the Emotet spam module. The campaign was observed between April 4, 2022, and April 19, 2022. The messages used simple words as subject such as “Salary”. The messages include OneDrive URLs pointing zip files containing Microsoft Excel Add-in (XLL) files.

“The zip archives and XLL files used the same lures as the email subjects, such as “Salary_new.zip.” This particular archive contained four copies of the same XLL file with names such as “Salary_and_bonuses-04.01.2022.xll”. The XLL files, when executed, drop and run Emotet leveraging the Epoch 4 botnet.” continues the analsys. 

The execution of the Microsoft Excel Add-in (XLL) files in the ZIP archives allows to drop and run the Emotet payload.

In order to evade detection, the threat actors are testing a different attack chain, that unlike the typical one doesn’t use macro-enabled Microsoft Excel or Word document attachments.

The analysis published by ProofPoint also includes Indicators of Compromise (IoCs).

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, EMOTET)

[adrotate banner=”5″]

[adrotate banner=”13″]