Emotet Resurfaces Yet Again After 3-Month Hiatus

  /     /     /  
Publicated : 23/11/2024   Category : security


Emotet Resurfaces Yet Again After 3-Month Hiatus


More than two years after a major takedown by law enforcement, the threat group is once again proving just how impervious it is against disruption attempts.



Like the proverbial bad penny that constantly keeps turning up, the Emotet malware operation has resurfaced yet again — this time after a lull of about three months.
Security researchers this week noted that the group is once again posing a threat to organizations everywhere, with malicious email activity associated with Emotet resuming early on March 7. The emails have been arriving in victim inboxes as innocuous-looking replies to existing email conversations and threads, so recipients are more likely to trust their content. Some of the Emotet emails have been landing as new messages as well.
The emails contain a .zip attachment, which, when opened, delivers a Word document that prompts the user to enable a malicious macro. If enabled, the macro, in turn, downloads a new version of Emotet from an external site and executes it locally on the machine.
Researchers from Cofense
and Hornet Security who observed the fresh malicious activity described the Word documents and the malicious payload as inflated in size and coming in at more than 500MB each. Overall, the volume of the activity has remained unchanged since early March 7, and all of the emails have been attachment-based spam, the researchers said.
The malicious Office documents and the Emotet DLLs were seeing are very large files, says Jason Muerer, senior research engineer at Cofense. We have not yet observed any links with the emails.
Hornet Security ascribed the large file and payload sizes as a likely attempt by the group to try and sneak the malware past endpoint detection and response (EDR) tools. The latest iteration of Emotet uses very large files to bypass security scans that only scan the first bytes of large files or skip large files completely,
according to a post by Hornet researchers
. This new instance is currently running at a slow pace, but our Security Lab expects it to pick up.
Emotet is a malware threat that first surfaced as a banking Trojan in 2014. Over the years, its authors — variously tracked as Mealbug, Mummy Spider, and TA542 — have turned the erstwhile banking Trojan into a sophisticated and lucrative malware delivery vehicle that other threats actors can use to deliver different malicious payloads. These payloads have in recent years included highly prolific ransomware strains, such as Ryuk, Conti, and Trickbot.
The threat actors preferred mode for delivering Emotet has been via spam emails and phishing, crafted to get users to open attached files or to click on embedded links to malware delivery sites. Once the threat actor compromises a system, Emotet is used to download other malware on it for stealing data, installing ransomware, or for other malicious activities such as stealing financial data. Emotets command-and-control infrastructure (C2) presently
runs on two separate botnets
that security vendors have designated as epoch 4 (E4) and epoch 5 (E5)
In early 2021, law enforcement officials from multiple countries
disrupted Emotets infrastructure in a major collaborative effort
that has done little to stop the threat actor from continuing its malware-as-a-service. At the time, the
US Department of Justice assessed
that Emotets operators had comprised over 1.6 million computers worldwide between April 2020 and January 2021. Victims included organizations in healthcare, government, banking, and academia.
An October 2022 analysis of the Emotet threat group by security researchers at VMware identified multiple reasons for the groups continued ability to operate after the massive law enforcement takedown. These included more
complex and subtle execution chains
, constantly evolving methods to obfuscate its configuration, and using a hardened environment for its C2 infrastructure.
Emotet has been used to deliver a range of secondary payloads, Muerer says. While it was predominantly delivering other malware families in the past, there is evidence that the current endgame for these actors will likely be focused on ransomware.
Theres nothing about the new Emotet activity that suggests that the threat group has deployed any new tactic or technique, Muerer says. The email-thread hijacking tactic and the macro-enabled Word documents are both tactics that the operators have been using for some time. And, as always, the primary infection vector remains spam and phishing emails.
Nothing major has shifted that we are aware of, Muerer says. Emotet remains a threat to everyone, with a disproportionately high impact on small businesses and individuals.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Emotet Resurfaces Yet Again After 3-Month Hiatus