The Emotet botnet has returned with a venegeance

Illustration of a laptop with a magnifying glass exposing a beetle on-screen
(Image credit: Shutterstock / Kanoktuch)

The dreaded Trojan Emotet is back after a five-month hiatus, kicking off a furious new malware distribution campaign, researchers are warning.

Researchers from Cryptolaemus, a group that tracks Emotet, observed the threat actor suddenly come to life and spam email addresses worldwide with phishing emails, in the early morning of November 2.

“Looks like Ivan is in need of some cash again so he went back to work. Be on the lookout for direct attached XLS files and zipped and password protected XLS,” the group warned in a Twitter thread

Weaponized Office files

As usual, the campaign revolves around weaponized Office documents, in this particular case - Excel files carrying malicious macros. 

The threat actor hijacks existing email chains, using the reply feature to distribute the document. There are a few notable changes to how the trick works, though, as Microsoft has recently disabled macros by default, and requires admins to specifically allow the feature to run. 

Furthermore, Windows now adds the Mark-of-the-Web (MoTW) flag to all files downloaded from the internet. When opened, MoTW flagged files will display a message saying they were downloaded from an insecure location and that they can only be opened in Protected View, to protect the users from accidentally running a malicious macro.

That has prompted the criminals to add a specific message to the file, mimicking Excel’s security warning (the yellow horizontal bar above the content) and saying that, in order to run the file, it needs to be placed in the Office’s Templates folder.

All files run from the Templates folder automatically run macros. Indeed, it’s not that easy to add files to that specific folder, as Windows requests admin permission, but chances are - many victims will ignore these obvious red flags. 

So far, Emotet is sitting dormant on compromised endpoints, so the researchers can’t determine what kind of campaign it’s being used for. In the past, Emotet was used to drop Cobalt Strike beacons, TrickBot malware, and others. 

Via: BleepingComputer

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.