The notorious Emotet botnet, considered one of the biggest threats to internet security, has resurfaced after a prolonged hiatus, armed with new tactics. The botnet’s trademark strategy of sending spam messages that appear to be from a known contact, addressing recipients by name and purporting to respond to existing email threads, was observed again last week after a four-month break.
Previous resumptions of activity have seen Emotet deploy fresh techniques to avoid endpoint security products and deceive users into clicking on links or enabling dangerous macros in Microsoft Office attachments.
Last Tuesday, a malicious email was sent containing a Word document that had a massive amount of extraneous data added to the end, making it over 500MB in size, which could thwart some security products from scanning the contents. This is known as binary padding or file pumping, whereby zeros are added to the end of the document. If the user is tricked into enabling the macro, the Windows DLL file that is delivered is also pumped, causing it to expand from 616kB to 548.1MB, according to security firm Trend Micro.
Another new evasion technique was observed in the same document, which contained excerpts from Herman Melville’s classic novel Moby Dick, appearing in white font on a white page so that the text is not readable. Some security products flag Microsoft Office files containing only a macro and an image, which the hidden text aims to circumvent without raising the target’s suspicion.
Emotet Botnet utilizing text from Moby Dick to deceive targets (credits: Trend Micro)
When the document is opened, the user is presented with a graphic that says the content can’t be accessed unless the user clicks the “enable content” button.
Microsoft had previously disabled macros downloaded from the internet by default, but users could still choose to enable them. The malware attack relies on this vulnerability, which requires users to enable macros in order to download a .zip file from a hacked legitimate website.
Enable macro tactice employed by the Emotet (Credits: Trend Micro)
Office will then unzip the archived file and execute the inflated Emotet DLL infecting the device with devastating consequences. The malware is designed to steal sensitive data such as passwords and other confidential information. It also uses the victim’s machine to send spam emails to other users, further spreading the infection.
When a device is infected with malware, it poses a great threat to its user’s sensitive data. This malicious software is designed to steal passwords, confidential information, and it can use the device to send spam emails to the user’s contacts. Furthermore, the malware is capable of downloading other harmful software such as the notorious Ryuk ransomware or the TrickBot malware. This is an example of the infection chain:
Emotet infection chain (credits: Trend Micro)
The latest revival of Emotet has once again showcased the botnet’s signature behavior of paying close attention to detail. This malicious software has spent years meticulously copying email conversations from infected machines and embedding them into spam messages sent to other parties in the same thread. By doing so, Emotet’s spam messages have a higher chance of going undetected, as they appear to come from someone the target has previously communicated with. Additionally, Emotet has the ability to infiltrate Wi-Fi networks and infect connected devices.
With the resurgence of Emotet, it is imperative to remain alert against the threat of malicious emails that can potentially compromise system security, even if they appear legitimate, and incorporate personalized elements.
Macros embedded within email attachments should be treated with caution, as they can execute malicious code on the user’s system. Before enabling macro functionality, it is recommended to confirm the identity of the sender through non-email means, such as phone or instant messaging.