Skip to content

Emotet botnet returns after a three-month hiatus with new tricks

  • by
  • 3 min read

Emotet botnet, widely considered one of the greatest cybersecurity threats on the planet has returned after a three-month break with several new tricks up its sleeve. While the bot has retained its trademark spam messages that appear to come from a known contact addressing the recipient by name and seem to be replying to an existing thread, it has introduced new techniques to evade endpoint security checks and trick users into clicking links or enabling Office macros. 

According to a report from Trend Micro, the group resumed activity in March with a botnet known as Epoch 4 started delivering malicious documents embedded in Zip files attached to emails. Trend Micro started tracking these efforts to deploy a new command and control (C2) infrastructure detecting activity spikes in January and February. 

While Microsoft has disabled macros by default since 2022, Emotet uses social engineering to trick users into enabling macros for their attacks to proceed. Additionally, the threat actors have also adopted binary padding, specifically the 00-byte padding technique, as an evasion technique. This method inflates the malicious dropper document and related Emotet DLL files to over 500MB to avoid security programs. 

The Emotet malware attack vector. | Source: Trend Micro

Once macros have been enabled, the document downloads a ZIP file from one of seven hardcoded and obfuscated URLs. After that, the macro checks for a successful download and whether the downloaded file is a ZIP archive or a PE file. This suggests that threat actors might also have adopted alternative file formats in addition to ZIP archives. 

After a successful download and file identification, the macro invokes regsvr32.DLL and loads the DLL with the /s switch to silently execute the malicious payload infecting the victim’s computer. Emotet instantly makes a copy of certutl.exe, a legitimate command-line tool in a temporary directory that starts in a suspended state. 

Malicious Word document delivered by Emotet asking the user to enable macros. | Source: Trend Micro

After that, it starts loading different modules such as NirSoft’s Web Browser Passview and Mail Passview tools, an Outlook stealer and a spam module before resuming its execution. While Trend Micro researchers haven’t seen a second-stage deployment from the Emotet payload yet, it is possible that might drop further payloads such as backdoors or information stealers in the future. Emotet also performs recon activities on the infected machine using either IP configurations or through the affected machine’s system information and sends the data back to its C2 servers. 

Given the technical prowess of Emotet’s developers, who even survived an entire takedown of their infrastructure back in 2021, researchers believe that “it would not be surprising to see it evolve further in future attacks, employing alternative malware delivery methods, adopting new evasion techniques, and integrating additional second and even third-stage payloads into its routines”. 

In the News: Discord revises AI privacy policy following user backlash

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here:

Exit mobile version