Emotet malware is back. Again.
After being out of action for five months following a takedown by international law enforcement operations, the notorious cybercrime gang behind the Emotet malware has returned to action. Emotet has resumed spamming on November 2, found researchers at Cryptolaemus.
Emotet: How does it hit
Users who are sent malicious phishing emails laced with Emotet malware are prompted to open and save the Excel file attached. The Excel file executes macros that soon download the Emotet malware to the target’s system. The malware would run in the background and connect to the control server, where any new commands would be executed, including installing payloads.
Cybercriminals are detected to be using old email credentials they have stolen to launch the present cyberattacks globally. The emails are sent with malicious Excel attachments as noticed in samples sent to VirusTotal. The malware loads as a legitimate DLL into several folders with different names. Moreover, the languages in which the emails were written are found to be varied with different file names.
The infected files were camouflaged to look like legitimate documents such as electronic forms, scans, invoices, etc. What is noteworthy is that this campaign is laced with the facility to hoodwink the security features of Microsoft protected view.
This is done by cybercriminals using a new template for Excel attachments with changed instructions for unsuspecting users. Users are shown a button to ‘enable content’ following which it escapes Microsoft’s Mark-of-the-Web (MoTW) flag, which would otherwise prevent the execution of the malware. Users end up copying the malicious files to the trusted templates folders that would help escape the protected view restrictions despite being marked as MoTW.
The history of the malware
Emotet was first detected in 2014 and became known for its threat later in 2020. Then too, the cyberattacks were launched using phishing emails containing infected Word or Excel attachments. Emotet has attacked healthcare in the recent past and is known as a banking trojan. The Cybersecurity and Infrastructure Security Agency (CISA) published an advisory warning against the Emotet malware and marked it a trojan that operated as a dropper of other malware.
This is not the first instance when Emotet has returned from a hibernation.
On January 27, 2021, cross-border law enforcement agency Europol announced the disruption of the workings of Emotet, after an internationally coordinated effort between authorities from Canada, France, Germany, Lithuania, the Netherlands, the United Kingdom, the United States, and Ukraine. The malware was back in action after a lull.