The Emotet botnet has resumed activity after a break of around 3 months as the threat group attempts to build up the number of infected devices. The Emotet botnet consists of an army of devices that have been infected with Emotet malware, which gives the operators of the botnet access to those devices. That allows data to be stolen from the infected devices and for access to be sold to other threat actors to allow them to conduct attacks, such as by delivering additional malware payloads such as Cobalt Strike, banking Trojans, information stealers, and ransomware. Infected devices are also used to grow the botnet. Emotet malware can hijack email accounts, steal message threads, and send copies of itself to the victim’s contacts. Since the emails come from a trusted email account they are more likely to be opened.
Emotet campaigns do not run constantly throughout the year. The threat actor tends to have several months of downtime with the last campaign coming to an end in November 2022. The botnet is now active once again and is sending emails, which means businesses need to be on high alert. The activity commenced at the end of the first week of the month and now high volumes of emails are being sent.
While Emotet is well known for hijacking email threads and using reply-chain emails, this time around a campaign is being conducted that includes ZIP file attachments purporting to contain invoices. Some of the emails intercepted include compressed Word documents that are over 500 MB in size when they are extracted. The large file size is used to defeat antivirus software. If the documents are opened, the user is presented with a warning that the document is protected and they are told that they need to ‘enable editing’ and ‘enable content’ to preview the document. These security warnings are in place to prevent macros from running and enabling the content will see the macros run and Emotet malware be downloaded onto the device from a compromised website. The downloaded file – a DLL file – is similarly inflated to more than 500 MB to prevent scanning by AV solutions. The payloads often change to prevent detection, and detection rates are usually very low for each payload.
One of the campaigns detected in the past few days targets U.S. taxpayers. In this campaign, the Internal Revenue Service (IRS) and legitimate businesses are impersonated using fake W-9 tax forms. These W-9 tax forms are also included in a ZIP file attachment and the files are also inflated to more than 500 MB. In this campaign, the Emotet gang returns to using reply-chain emails so it appears that the emails have been sent from a trusted entity that has emailed in the past.
Fortunately, email-based attacks using macros to deliver malicious payloads are becoming much less effective due to a 2022 update from Microsoft that disables macros automatically in Internet-delivered Office files. In response, like other threat actors, the Emotet gang has changed tactics and is now sending emails with OneNote attachments, which do not support macros and therefore bypass Microsoft’s anti-macro controls. OneNote files allow embedded content, which in this case is a VBS attachment that is hidden under a view button. The user is told to double-click on the view button, but what they are really doing is double-clicking on the VBS attachment under the fake view button, which executes the script and delivers Emotet malware from a compromised website.
With Emotet back up and running it is a good idea to ensure that employees are trained to recognize these malicious emails and the SafeTitan security awareness training platform from TitanHQ allows you to easily do that and keep employees up to date on the latest Emotet tactics. SafeTitan also includes a phishing simulator that allows you to simulate Emotet emails in phishing tests to see which employees click. Those individuals can then be provided with additional training to ensure that if a real Emotet email is received, they will be able to recognize it as such.
For more information on SafeTitan Security Awareness Training, contact the TitanHQ team today.