Emotet attempts to sell access after infiltrating high-value networks

The notorious trojan Emotet re-emerged this week after a three-month hiatus with a specific goal: send malicious emails to infiltrate high-value corporate networks and then try to sell that access to ransomware groups.

Instead of just sending malicious Excel files, Emotet is now sending malware in Word files with macros that, if enabled, could start the infection chain and execute the Emotet.dll.

Deep Instinct's Threat Research team on Friday reported that the first page of the malicious email contains an image that tries to lure the receiver to enable macros. The Deep Instinct team observed malicious emails sent to companies around the globe, including in Japan, an image of which they posted on March 10.

Initially conceived as a banking trojan in 2014, Emotet evolved into an all-purpose loader two years later. While the botnet had its infrastructure dismantled in January 2021, it has been resurrected through the help of the TrickBot malware by the mostly defunct Conti group. In security circles, Emotet gets tracked at Mummy Spider, or TA542.

Simon Kenin, a security researcher at Deep Instinct, explained that over the years, Emotet shifted to being a botnet of infected computers that will load any other malware the operator decides on, and that's why the malicious spam now gets sent to corporate email addresses and not individuals at homes.

“When the operator of the botnet sees a high value target infected, he can sell access to a ransomware group, which will have initial access and try to hack the whole network,” explained Kenin. “The return on investment is much higher for ransomware than banking trojans these days. For other less valuable targets, a method of pay-per-install can be used and the operator just loads other cybercriminals malware in bulk.”

Emotet malware inflating payload to avoid detection

The initial attack file and the final payload are artificially inflated to more than 500 megabytes, a technique that can “drastically decrease” the chance of security products to block the file pre-execution, Deep Instinct reported about the new Emotet campaign.

Kenin explained that the technique deployed by Emotet can cause serious performance issues for scanning big files from some vendors, or it can cause static detections to stop working properly and miss those files.

“Solely based on the initial detections in VirusTotal, we could see that most vendors didn’t detect those files and it took them some tweaking to properly start detecting them,” said Kenin. “I would recommend security teams test the security product they use in a lab environment against the samples we provided to understand better how they are protected.”

Emotet resumed malicious activity March 7

Cofense reported in a March 7 blog post that malicious email activity by Emotet resumed at 8 a.m. Eastern that day. The Cofense researchers said the malicious emails contain attached .zip files that are not password protected.

Emotet last appeared in November and June of 2022 and the Cofense researchers said it was unclear how long this attack period will last.

The recent resurgence of Emotet, along with new modules and evasion techniques being added, indicates active development of the malware, said Zane Bond, head of product at Keeper Security.

“It’s unlikely Emotet will become the world's top botnet as it was in the past, because the vulnerabilities that enabled its explosive growth have largely been patched,” said Bond. “However, it’s still a very capable adversary tool that defenders need to protect against. Without zero-days or critical vulnerabilities enabling a global widespread infection, adversaries are relying on common tactics to get initial footholds.”