Emotet malware has returned, yet again. The malware reportedly upgraded to its next form and can now deploy minacious malware like Bumblebee and IcedID.
Security researchers at Cryptolaemus reported a surge in activities on October 2, 2022, stating that the malware is being used to run spamming campaigns. Upon further investigation, Cyble Research and Intelligence Labs (CRIL) found a new Emotet spam campaign targeting users via specially crafted password-protected zip, malicious Xls, and Xlsm files.
According to the CRIL research team, the Emotet hackers targeted over 40 countries since its new campaign was launched. The reports suggest that the malware campaign is highly concentrated in South America and is loosely distributed in other parts of the world.
The threat researchers collected the data from November 3, 2022, to November 8, 2022.
Emotet malware campaign: a technical breakdown
Emotet malware strain first came into the light in 2014 as a popular banking malware designed to steal sensitive information from users’ devices.
Over the years, Emotet has become more sophisticated malware targeting victims in various industries. The malware begins its infection via a spam email. Once the user clicks on the links inserted in the emails, they are redirected to the malicious website. After the user is content with the information, the Emotet payload is silently downloaded into the victim’s computer.
The hackers behind the malware need to lure victims into downloading the file and documents that contain the Emotet payload. Once downloaded, it can load more malware into the victim’s devices to take complete control over the files, networks, and admin privileges.
CRIL thoroughly analyzed the malware and found that the spam emails used by threat actors contained password-protected or xls/xlsm attachments. The macro-coded malicious programs are masked as documents and are downloaded onto the victim’s devices via a remote site.
In order to stop the macros from being executed, Microsoft Office documents typically open in a protected view when a user opens them. To trick consumers into allowing the macro material, the Threat Actors (TAs) behind this Emotet campaign use a variety of social engineering approaches.
The latest version of the malware includes instructions for the threat actor to bypass Microsoft’s Protected View. The researchers examined the template and found out that the user, who currently has the document/file downloaded on the system, is lured by the threat actor to copy the xls into the trusted “Templates’ ‘ folders and execute the template once more.
When the xls file is executed, the macro code downloads and runs the Emotet DLL (Dynamic Link Library) file from the following URLs:
- hxxps://designelis.com[.]br/wp-content/NNfbZZegI/
- hxxp://copayucatan.com[.]mx/wp-includes/BqaJMpC3osZ0LRnKK/
- hxxp://cursosweb.com[.]br/portal/6ozjR/
- hxxp://db.rikaz[.]tech/lCx76IlkrBtEsqNFA7/.
The Emotet malware connects to the C&C server to obtain additional instructions or to download new payloads. According to the report by CRIL researchers, the threat uses Emotet payload to install follow-up malware, such as IcedID (aka BokBot) and Bumblebee.
