Emotet: Look, Who's Back
The #emotet malware operation re-started its activity this Tuesday morning. It resumed sending out spam emails after a three-month break.
Emotet malware is distributed through emails containing malicious Microsoft Word and Excel document attachments. The user needs to open the document and activate macroses, so the Emotet DLL will be downloaded and loaded into memory.
One of the peculiar features of Emotet is that, initially, it is not active and waits until instructions are received from a remote command and control server. Then several options are possible, for instance, the victims’ emails and contacts will be stolen to be included in subsequent Emotet campaigns, or an additional payload will be downloaded to run a ransomware attack against the infected computer.
Back then, Emotet was one of the most widely distributed malware. Now it is less active, but there are still some evolutions, as the latest developments have shown.
This time spam includes docs using Red Dawn templates, and they are huge indeed, with sizes over 500MB. Previously spam messages used to be reply chains, now they pretend to be invoices. These ZIP archives contain inflated Word documents containing the data mostly used to make the files harder for being scanned and detected by antiviruses as malicious.
After downloading, Emotet will be saved to a random-named folder under %LocalAppData% and launched using regsvr32.exe. This is an evasion technique that proved to be quite successful. VirusTotal scan showed that only one out of 64 security vendors would detect this malware.
However, with recent changes by Microsoft, when it finally disabled macros by default, the current campaign might not be a success. At least additional payloads are not yet observed in action. We might expect that Emotet will move to exploit other files than .doc and .xls, such as ISO, JS, etc.
For a reliable protection against malware, leverage reliable endpoint protection, vulnerability management, managed security, and data backup services, such as provided by #TrilightSecurity