What just happened? The Emotet botnet was dead, or so the researchers thought. The malicious network is now back in business with a new phishing campaign, leveraging a new technique to trick users and businesses into getting infected.
After a 4 month hiatus, Emotet is back on track as one of the most dangerous botnet operations around. Cybercriminals are using the network to spread malicious software and other potential infections, with a new trick designed to bypass protections in Microsoft Office applications.
Emotet was considered one of the most prevalent infections until July 2022, when the network suddenly stopped spam campaigns and third-party malware distribution. Now, the botnet is back in “distribution mode”, according to the Cryptolaemus research group.
🚨Emotet back to Distro mode🚨 – Starting at 0800 UTC E4 it started spamming and from 0930 UTC E5 it started spamming again. It looks like Ivan needs money again, so he’s back at work. Beware of directly attached XLS files and compressed and password protected XLSs. 1 / x
– Cryptolaemus (@ Cryptolaemus1) November 2, 2022
The infamous Emotet botnet resumed spamming on November 2, with a new email phishing campaign targeting stolen email response chains. The network is now distributing malicious Excel attachments, sending them to users who speak different languages pretending to be invoices, scans, forms and other engaging “baits”. The malware can also be password-protected Zip archives or XLS spreadsheets.
Emotet’s latest campaign introduces a new tool to the botnet’s arsenal: an Excel template that includes instructions on how to bypass Microsoft’s Protected View technology. Protected View marks files from the Internet with a “Mark-of-the-Web” flag, which instructs Office applications to open those files in secure mode, thus avoiding the direct execution of attached macros.
The instructions in the malicious spreadsheet advise users to copy the file to one of the Microsoft Office “trusted” template folders. When opened from trusted locations, the malicious document will bypass Protected View by running the included macros and spreading the Emotet infection.
The new Emotet malware is downloaded in Dll form and executed on the system using the legitimate tool Regsvr32.exe. Once active, Emotet remains silent, waiting for instructions from the botnet’s command and control server. For now, the network doesn’t appear to be releasing additional malicious payloads as it did prior to its demise.
One of the most famous features of Emotet has always been the ability to work in conjunction with other malicious operations, spreading dangerous malware such as TrickBot, Cobalt Strike, and others. In the past, Emotet was a powerful force behind ransomware attackers like Ryuk, Conti, BlackCat, and Quantum. The botnet provided initial access to already infected networks and devices for easier spread of the ransomware.