The Emotet botnet is back, and it has some new tricks to spread malware

The botnet appears to have used a short break to test new methods for infecting Windows systems with backdoor malware.
Written by Danny Palmer, Senior Writer

A prolific botnet has reemerged with new techniques to infect Windows PC with malware. 

Once described as the most dangerous malware botnet in existence, Emotet helped cyber criminals to distribute malware and ransomware to victims around the world, before being disrupted by a coordinated global law enforcement takedown in January 2021

But Emotet reemerged 10 months later and has resumed campaigns. It is sending out millions of phishing emails in mass spam campaigns, with the aim of infecting devices with malware that ropes them into a botnet controlled by cyber criminals. 

SEE: A winning strategy for cybersecurity (ZDNet special report)

According to cybersecurity researchers at Proofpoint, Emotet appears to be testing new attack techniques at a small scale, which could potentially be adopted for much larger campaigns. These techniques are designed to make attacks more difficult to detect, ultimately increasing the chances of them being successful.  

The emergence of new attack techniques has coincided with a period when it seemed widespread Emotet campaigns were put on hold, with new activity occurring at low volume. Previous Emotet campaigns commonly involve automated mass spam campaigns, but in this case, it appears that phishing emails are being sent out in smaller numbers by a human user.

One of these new campaigns exploits compromised email accounts to send out spam-phishing emails with one-word subject lines – researchers note that one of them is simply 'Salary', a subject line that could encourage a user to click out of curiosity. 

The message bodies contain only a OneDrive URL, which hosts zip files containing Microsoft Excel Add-in (XLL) files with a similar name to the email subject line. 

If the XLL files are opened and executed, Emotet is dropped on the machine, infecting it with malware. Emotet can be used to steal information from victims and serves as a backdoor for deploying other malware onto the compromised Windows system – it has commonly been used as a backdoor to deploy ransomware attacks

What makes this campaign distinct from previous Emotet campaigns is the use of OneDrive URLs – typically, Emotet attempts to spread itself via the use of Microsoft Office attachments or phishing URLs that link to Office files. 

The use of XLL files is also unusual, as Emotet has traditionally been distributed using Microsoft Excel or Word documents containing Visual Basic for Applications (VBA) scripts or macros.

SEE: Clueless hackers spent months inside a network and nobody noticed. But then a ransomware gang turned up

This switch comes after Microsoft announced it would begin blocking macros obtained from the internet by default from April. That move is part of an effort to help protect users from a technique commonly used in phishing attacks, so gangs are likely testing new techniques to get around this. 

"After months of consistent activity, Emotet is switching things up. It is likely the threat actor is testing new behaviors on a small scale before delivering them to victims more broadly, or to distribute via new TTPs (Tactics, Techniques, and Procedures) alongside its existing high-volume campaigns," said Sherrod DeGrippo, vice president of threat research and detection at Proofpoint.

"Organisations should be aware of the new techniques and ensure they are implementing defenses accordingly," she continued, adding "Train users to spot and report malicious email. Regular training and simulated attacks can stop many attacks and help identify people who are especially vulnerable".

"The best simulations mimic real-world attack techniques. Look for solutions that tie into real-world attack trends and the latest threat intelligence," DeGrippo explained. 

ZDNet has contacted Microsoft for comment. 


Editorial standards