The Emotet malware-delivery botnet is back after a short hiatus, quickly ramping up the number of malicious emails it’s sending and sporting additional capabilities, including changes to its binary and delivering a new version of the IcedID malware dropper.
The various changes after almost four months of silence also could indicate a change of management for Emotet, which has been run by the threat group TA542 and in April was ranked as the top malware threat – affecting six percent of companies worldwide.
“Proofpoint expects that the actor will continue to evolve, with potential for higher email volumes, more geographies targeted, and new variants or techniques of attached or linked threats,” said Pim Trouerbach and Axel F, researchers with Proofpoint, in a Wednesday analysis. “Additionally, given the observed changes to the Emotet binary, it is likely to continue adapting as well.”
While the campaign emails contain Excel attachments, as previously observed in Emotet attacks, these Excel files now come with instructions for targets to copy the file to a Microsoft Office Template location and run it from there instead.
For threat actors this tactic cuts out the headache of convincing users to “enable macros,” but the extra step still adds complexity to the attack as the user must have Administrative privileges. Researchers said it is currently unclear how effective this technique is.
Often, the phishing email contains a single Microsoft Excel file, and sometimes attachments are zip archives.
In all cases where the attachment is a zip archive, the contents are an Excel document.
“This is a trusted location and opening a document located in this folder will cause immediate execution of the macros without any warnings or interactions from the user needed,” said researchers. “However, while moving a file to a template location, the operating system asks users to confirm and that administrator permissions are required to do such a move.”