Motnet is back (again), transformed and still scary

The infamous malware, already silenced in 2020, is once again circulating in a new version. Among the new features, the integration of XLS and XLSM files. Published on November 17, 2021 by Redazione

Defined several times as the most dangerous malware of recent years, Emotet is the phoenix of the cybercriminal scenario or a zombie that comes back to life even when it seemed permanently buried. The famous banking trojan, spread via spam and capable of installing a backdoor in infected devices, remained in circulation for years and after its reappearance in early 2020, the cybercriminal group that pulled the strings had been found and dismantled with the mobilization of large forces , including Europol and the FBI.

In the meantime, Emotet had already evolved and transformed, also lending itself to operate as a botnet to spread more malware through the network of devices he infected. Now, however, several cybersecurity companies and researchers have reported the return of Emotet in a different form. Cybercriminal groups are using another notorious malware-botnet, TrickBot, to install Emotet on compromised Windows machines.

For example, G Data, a German cybersecurity firm, has observed numerous incidents in which Trickbot attempted to install a dynamic link library (DLL) on the target system. These DLLs have been identified as belonging to Emotet and represent, according to G Data, a "reincarnation" of the malware silenced in 2020. At the moment this "reincarnation" is not acting as a botnet but may start doing so soon. Even according to a researcher from Team Cymru, a company that helped dismantle the Emotet campaign in 2020, there are signs of a relationship between the old and the new variant.

Proofpoint also witnesses the return of Emotet: according to him, the new variant is at work by sending messages to government organizations, nonprofits and private companies (especially in the financial services, insurance, transport, technology and manufacturing), predominantly in the United States and Canada. "They do not seem to be tests, they are active campaigns and one of the main differences compared to the past is in the volume, for now more contained: over 50,000 messages had been detected before the international legislative actions'', explained Sherrod DeGrippo, vice president, Threat Research and Proofpoint Detection. "Among the novelties, the integration of XLS and XLM files: if a user enables macros, he proceeds with the installation of Emotet. The actor also replaced the API's RSA encryption with Ecc (Elliptic-curve cryptography) and we continue to see thread hijacking, similar attachment names, and the use of password-protected Word documents and ZIP files, as noted above. , while a certain number of filenames seem legitimate ”.

“Payload URLs,” continued the researcher, “are still distributed in sets of seven, along with the same generation of Botnet IDs, to name a few. Based on some infrastructure seen in campaigns by Proofpoint, actors are leveraging hosting providers to scale operations. Emotet has been for years one of the most constant threats on the Internet for years, this return is significant and represents a major risk for the security posture of organizations ”.