Emotet botnet, widely considered one of the greatest cybersecurity threats on the planet has returned after a three-month break with several new tricks up its sleeve. While the bot has retained its trademark spam messages that appear to come from a known contact addressing the recipient by name and seem to be replying to an existing thread, it has introduced new techniques to evade endpoint security checks and trick users into clicking links or enabling Office macros.
According to a report from Trend Micro, the group resumed activity in March with a botnet known as Epoch 4 started delivering malicious documents embedded in Zip files attached to emails. Trend Micro started tracking these efforts to deploy a new command and control (C2) infrastructure detecting activity spikes in January and February.
While Microsoft has disabled macros by default since 2022, Emotet uses social engineering to trick users into enabling macros for their attacks to proceed. Additionally, the threat actors have also adopted binary padding, specifically the 00-byte padding technique, as an evasion technique. This method inflates the malicious dropper document and related Emotet DLL files to over 500MB to avoid security programs.
Once macros have been enabled, the document downloads a ZIP file from one of seven hardcoded and obfuscated URLs. After that, the macro checks for a successful download and whether the downloaded file is a ZIP archive or a PE file. This suggests that threat actors might also have adopted alternative file formats in addition to ZIP archives.
After a successful download and file identification, the macro invokes regsvr32.DLL and loads the DLL with the /s switch to silently execute the malicious payload infecting the victim’s computer. Emotet instantly makes a copy of certutl.exe, a legitimate command-line tool in a temporary directory that starts in a suspended state.
After that, it starts loading different modules such as NirSoft’s Web Browser Passview and Mail Passview tools, an Outlook stealer and a spam module before resuming its execution. While Trend Micro researchers haven’t seen a second-stage deployment from the Emotet payload yet, it is possible that might drop further payloads such as backdoors or information stealers in the future. Emotet also performs recon activities on the infected machine using either IP configurations or through the affected machine’s system information and sends the data back to its C2 servers.
Given the technical prowess of Emotet’s developers, who even survived an entire takedown of their infrastructure back in 2021, researchers believe that “it would not be surprising to see it evolve further in future attacks, employing alternative malware delivery methods, adopting new evasion techniques, and integrating additional second and even third-stage payloads into its routines”.