Brand-new Emotet campaign socially engineers its way from detection – IT PRO

View all Business
View all Cloud
View all Hardware
View all Infrastructure
View all Security
View all Software
View all Technology
The Emotet botnet has returned for a fresh campaign deploying various tactics such as binary padding and social engineering to evade security defences.
Organisations have been warned to remain vigilant amidst a fresh wave of Emotet spam activity that has surged since the start of the year, following a three-month period of low activity.  
The acceleration in attacks has been driven by the resurgence of the ‘Epoch 4’ botnet, which has been used to deliver malicious documents attached to seemingly legitimate emails.
This latest iteration of Emotet was found to mimic replies in existing email chains and threads, duping users into believing the malicious content was from a previous conversation.  
“These types of emails are often paired with social engineering techniques that are designed to get recipients to click on a link or download an attachment containing malware,” Trend Micro said in a blog post
Malicious emails in this latest Emotet campaign were found to contain a .zip attachment. Once opened, this delivers a Word document that dupes the user into enabling a malicious macro, researchers said.
Although Microsoft disabled VBA macros in Windows by default in 2022, Emotet's malicious documents "deploy social engineering techniques to trick users into enabling macros to allow the attack to proceed as intended".
Finally, once enabled this macro downloads a malicious payload (DLL) to infect the device.  
A key concern in this campaign is that this iteration of Emotet uses large file sizes to bypass security scans and endpoint protection processes. Each malicious email includes a 600kb zip file which contains a Word document of over 500mb, researchers said.
Binary padding isn't an uncommon method of malware obfuscation. It attempts to exploit the file size limitations in security products by inflating the malicious payloads' file sizes – a method which can trick scanning tools into bypassing the file altogether.
“Malicious actors use zip compression to transport the relatively small files via email and HTTP, before decompression is used to inflate the files to evade security solutions. Finally, reconnaissance activities are performed either via IP configs or through the affected machine’s system information,” researchers said.
Trend Micro researchers said the Emotet resurgence shows that it remains a “prolific and resilient” threat for organisations globally.  
The botnet has survived previous takedowns led by law enforcement, including a notable disruption of its infrastructure in 2021.
An in-depth analysis of the Microsoft 365 threat landscape
Cyber security report 2023
In this instance, a joint operation between Europol and international law enforcement agencies from the UK, US, and France seized control of several hundred servers. The takedown granted a reprieve for hundreds of victims infected with malware.  
While this appeared to put a major dent in the operation, within a year researchers observed another resurgence of the botnet, revealing that its infrastructure had “almost doubled” in the space of a few months.  
Research from Proofpoint in November 2022 found that after another hiatus period, Emotet was responsible for hundreds of thousands of daily attacks, once again securing its place as a “primary facilitator” of malware delivery.  
Trend Micro suggested that organisations will continue to face growing threats from Emotet in the coming months, noting that “it would not be surprising to see it evolve further in future attacks” by employing alternative malware delivery methods.  
Threat actors are also expected to adopt new evasion techniques and integrate “additional second and even third-stage payloads into its routine”.  
Storage's role in addressing the challenges of ensuring cyber resilience
Understanding the role of data storage in cyber resiliency
What bank CIOs must know when considering bank-specific cloud solutions
Giving banks a way to evaluate industry-specific clouds' value propositions
Cost of a data breach report 2022
Discover the factors to help mitigate breach costs
Four steps to better business decisions
Determining where data can help your business
Outlook zero day patch causes headaches for Windows admins
The big PSTN switch off: What’s happening between now and 2025?
Why has the UK government banned TikTok?
ITPro is part of Future plc, an international media group and leading digital publisher. Visit our corporate site
© Future Publishing Limited, Quay House, The Ambury, Bath BA1 1UA. All rights reserved. England and Wales company registration number 2008885


Leave a Comment