Emotet malware returns after a three-month hiatus

2 months ago · 0 comments

The Emotet malware campaign continues after a lull of 3 months. Malicious emails began to reach people all over the world.

Emotet is a known malware distributed via email. It is delivered to the target computer via malicious Microsoft Word and Excel attachments. When users open these documents and enable macros, the Emotet DLL is loaded into memory and then silently waits for instructions from a remote C2 server.

Eventually, the malware starts stealing victims' emails and contacts for use in future Emotet campaigns or downloading additional payloads such as Cobalt Strike or other malware.

Although Emotet was considered one of the most prevalent malware in the past, its campaign has been slowly fading. The last spam operation was observed in November 2022.

Cybersecurity company Cofense and the Cryptolaemus group have warned that the Emotet botnet has resumed sending emails again.

In the current campaign, the attackers use emails purporting to contain tax records. ZIP archives attached to emails weigh 500 megabytes or more. These are bloated Word documents, artificially increased in weight to make it harder for antivirus solutions to scan. The docs use Emotet's "Red Dawn" template, prompting users to include file content so that it "displays properly".

These malicious documents contain a whole bunch of different macros that download the Emotet loader as a DLL from malicious sites, many of which are hacked WordPress blogs.

Once downloaded, Emotet is saved in a randomly named folder in the %LocalAppData% folder and launched using regsvr32.exe. Once launched, the malware runs in the background, waiting for commands that will likely install additional payloads on the computer. These attacks typically result in data theft and full scale ransomware attacks.

Cofense specialists said that they have not yet seen any additional payloads in this particular campaign. The malware simply collects data for future spam campaigns.

In order not to fall for the hook of scammers, it is enough just not to run Microsoft Office files and other documents of dubious origin. This will most likely protect your data, time and nerves, preventing attackers from doing what they intended.