Recent Emotet intrusions have revealed the use of obfuscated Excel macros for downloading and running the Emotet loader. In recent intrusions, the Emotet loader was executed with the use of regsvr32[.]exe.

Recent Emotet intrusions

Experts from EclecticIQ have observed Emotet being distributed throughout 2022. In these attacks, they made several observations regarding initial delivery and the Emotet Loader.
  • The first stage of an attack starts with spam email spreading Office XLS documents as an attachment. The document uses obfuscated Excel macros and asks users to Enable Content to run a macro.
  • When macros get executed, it initiates several CALL and EXEC functions to download the Emotet Loader.
  • In the second stage, the Emotet loader loads the encrypted Emotet payload into memory. After that, the payload is decrypted and written in the allocated area of memory.

Evasion and persistence

The developers of Emotet have used several methods and tricks to enhance the evasion and persistence capabilities of the malware.
  • The malicious document consists of multiple password-protected worksheets. These sheets contain various characters spread across the area and written in white color to make the sheet look empty.
  • When executed with macros enabled, the macro tries to download the loader using the URLDownloadToFileA function.
  • For persistence, a Windows service is used, which executes the Emotet payload using regsvr32.exe.

Ending notes

Emotet is active and uses new ways of delivery techniques to stay relevant and undetected by security solutions. MITRE has provided IoCs and YARA rules to track, monitor, and detect Emotet infections. Further, it is recommended to subscribe to a threat intelligence service to get immediate updates regarding the latest threats and IOCs for real-time protection.
Cyware Publisher