The silent and pervasive Emotet trojan has launched aggressive attacks against organizations. While the primary purpose remains to steal information from victims’ systems, there has been a significant change in the infection process chain executed by operators.

Emotet leverages maldocs in recent attacks

  • Recently, researchers from FortiGuard Labs found a variety of malicious Microsoft Office files (maldocs) being used in a series of phishing attacks delivering Emotet.
  • The first attack appeared in November 2021.
  • The phishing emails appeared to be a reply or forwarded message that included ‘Re:’ or ‘Fw:’ in the subject line.
  • In some cases, the malicious document comes packed in a ZIP archive which is unlocked using a password included in the body of the text.
  • The attached Word documents and Excel files contain an image requesting victims to click on the ‘Enable Content’ button in the security warning bar. This causes the download of malicious macros which ultimately executes the malicious payload.
  • While the Word documents contain malicious VBA code, the Excel files use Excel 4.0 macro in addition to VBA macro.
  • As of March 2022, the campaign uses a malicious Excel file named ‘2021_NovW4’ to evade detection by antivirus software. 

New modules also identified in Emotet 

  • In another update, Kaspersky researchers retrieved 16 new modules added to Emotet.
  • These modules are capable of performing a large set of malicious actions that range from spamming to stealing emails, passwords, and login details from various sources.
  • Each module has its own numeric ID and contains its own C2 list.

Targeted victims

  • In Q1 2022, the trojan infected users and companies across all the countries.
  • There was a significant rise in the number of such attacks in March.   
  • According to Kaspersky’s telemetry, Italy suffered the highest number of infections followed by Russia (9.87%), Japan (8.55%), Mexico (8.36%), Brazil (6.88%), and Indonesia (4.92%).

Conclusion

Despite suffering a major disruption in 2020, Emotet has made a powerful comeback, piggybacking on TrickBot. Additionally, the operators have improved the infrastructure and capabilities to ensnare a wide range of victims. Since it primarily spreads via phishing emails, organizations must take necessary steps to bolster the defense mechanism to identify such threats.

Cyware Publisher

Publisher

Cyware