Successful compromises by the notorious Emotet malware are occurring again. After several months of inactivity, the botnet resumed its email activity on 07.03.2023.
Emotet is one of the most well-known malware. Distributed via Email that include malicious Microsoft attachments Word and Excel. When users open these documents and enable the macros, the Emotet DLL is downloaded and loaded into memory.
Once Emotet is loaded, it remains undetected and waits for instructions from a remote command and control server.
The malware is used to the theft email and contacts of the victims for use in future campaigns. It can also download additional payloads such as Cobalt Strike or other malware which usually leads to attacks ransomware.
Emotet returns in 2023
Cybersecurity firm Cofense and Emotet tracking group Cryptolaemus reported that the malware is active again, sending infected emails with attached ZIP files that are not password protected. The ZIP attachments contain Word documents up to 500 MB in size, which are said to make it difficult for AV solutions to successfully scan and detect the malware.
The attached files are disguised as invoice documents. In fact, MS Office documents contain malicious macros, which in turn download and execute the Emotet DLL.
The Word documents use Emotet’s “Red Dawn” document template. This prompts the user to activate the content of the document so that it is displayed correctly.
The malware is suspected to be used to end-use victims’ email and contact information for future Emotet attacks. It could also be used to inject additional payloads such as Cobalt Strike or other malware components that usually lead to ransomware attacks. At present, the attack volume still seems to be low.
After downloading, Emotet is saved in a randomly named folder under %LocalAppData% and launched with the file regsvr32.exe for further command-and-control server communication. This is used to extend the attack privileges of the threat actors and further propagate in the infiltrated network.
Once executed, Emotet runs in the background, waiting for commands, which will likely install further payloads on the victim’s device. As we said above these payloads can be used to remotely access the device, which is then used to spread further into the compromised network.
According to Cofense, this new campaign appears to simply steal data (for future attacks).
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment