Emotet Banking Trojan Resurfaces, Skating Past Email Security

The malware is using spreadsheets, documents, and other types of Microsoft Office attachments in a new and improved version that is often able to bypass email gateway-security scanners.

Malware botnet Emotet has resurfaced in a more advanced form after having been taken down by joint international task force in January 2021.
A prolific threat throughout the pandemic, the Emotet malware began as a banking trojan in 2014, and its operators were one of the first criminal groups to provide malware-as-a-service (MaaS).
While it is still utilizing many of the same attack vectors it exploited in the past, Emotets return has been accompanied by a boost in effectiveness in collecting and utilizing stolen credentials. The report noted that these stolen credentials are also being weaponized to further distribute the malware binaries.
The attacks are using hijacked email threads and then using those accounts as a launch point to trick victims into enabling macros of attached malicious office documents, a
Thursday report
from Deep Instinct explained.
In addition, Emotet is utilizing 64-bit shell code, as well as more advanced PowerShell and active scripts, with nearly a fifth of all malicious samples exploiting the 2017 Microsoft vulnerability CVE-2017-11882.
The attacks have focused largely on victims in Japan, with an expanded focus on targets in the United States and Italy starting from March this year.
The Deep Instinct team also wrote a detailed
blog post
on the technical details of what they found back in November.
Chuck Everette, Deep Instincts director of cybersecurity advocacy, says the companys Threat Research Team has been monitoring the re-emergence of Emotet since Q4 of last year.
We use internal code and binary similarity algorithms on our cloud backend to associate and correlate new variants of a select set of campaigns which we monitor very closely, Emotet being one of them, he explains.
In particular, several static evasion methods are very characteristic of Emotet, and upticks in those in new variant waves are very indicative of Emotet activity, Everette tells Dark Reading.
These attacks definitely have similar characteristics that theyve had in the past, he says. They now, however, have some new and improved techniques and tactics.
One of them, Everette noted, is the streamlining of the product and removal of the middle stage of the attack.
Additionally, theyve switched from non-secure HTTP to secured HTTPS communications, and theyve also added in code obfuscation techniques to the payload.
The Emotet Gang are professionals. They know how to run a successful phishing campaign and have now upped their game with new sophisticated attack techniques, Everette says. However, the primary delivery method is still phishing emails, and the human factor is the weakness.
He advises organizations to be continuously diligent about cybersecurity awareness by training their employees, as well as monitoring and adding prevention capabilities to keep these types of phishing attacks out of their environment.
If you make yourself more difficult to attack than another company, they will go after the easier target, he says. Make sure youre the harder target to penetrate. Educate your employees.
Regarding Emotets previous ties to the
TrickBot trojan
, Everette acknowledged that theres quite a bit of speculation around the status of the relationship now, but the most common thought is that theres a continued collaboration between these cybercriminal entities.
TrickBot and Emotet have a long history of collaboration, he said. As we know, with the rise and fall of the cyber gangs, members often move between organizations. This creates alliances and knowledge-sharing. With Emotet and TrickBot, its just one of these alliances that has lasted and weathered several
take-down attempts
.
From his perspective, Emotet is no different than other cyber-gangs that
have been taken down
— 90% of these cyber gangs resurrect in one way or another.
The major difference with Emotet is, youre still using a good majority of the original code, given more sophisticated techniques, and they seem to be keeping the same name, Everette said. Their operations have not changed, because they were highly successful in the past.
He added that there are also indicators that the group has moved some of its infrastructure out of the European arena and down to South America, mainly Brazil.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Emotet Banking Trojan Resurfaces, Skating Past Email Security