Beware of Emotet’s Surprising Return to Cyberwarfare

Spread the love

The infamous botnet Emotet is back and ready to start a cyber war.
  • Since its removal in 2021, Emotet has led numerous spam campaigns.
  • Emotet’s handler, Mealybug, continually upgrades and creates new modules.
  • Since returning, the Emotet team has been working hard to evade botnet tracking.

A cunning and formidable force in the cyber threat realm, Emotet is known for its capricious tactics that define a new breed of cyber warfare. This sophisticated malware intermittently disrupts operations, but returns with a strategy of increasing concern to keep global organizations on alert at all times.

Like cockroaches, malware never goes away. Despite numerous campaigns to eradicate the Emotet, it continues to revive and launch vengeful strikes against organizations around the world.

ESET Research provides an in-depth overview of Emotet’s behavior since its partial removal and resurrection. Launched in 2014 by the cybercriminal group known as Mealybug or TA542, his Emotet has evolved from a banking Trojan to a pervasive botnet threat.

In January 2021, an international operation involving eight countries, coordinated by Eurojust and Europol, successfully partially dismantled Emotet. By November 2021, however, Emotet was back in action, launching multiple spam campaigns until it unexpectedly stopped in April 2023.

Notorious Players of Cyberwarfare - Emotet Event

Cyberwarfare in question: A timeline of interesting Emotet events since the resurrection. (Source – ESET)

Innovative malware spread by Emotet

ESET’s findings reveal that the majority of attacks by Emotet campaigns in 2022-2023 were directed against countries such as Japan, Italy, Spain, Mexico and South Africa.

According to ESET researcher Jakub Kaloč, Emotet spreads mainly through spam emails. It has the ability to extract data from compromised computers and introduce third-party malware. Emotet operators target a wide range of demographics, compromising systems belonging to individuals, businesses, and large organizations.

From late 2021 to mid-2022, Emotet primarily spread its malware via malicious MS Word and MS Excel documents embedded with VBA macros. However, Microsoft’s July 2022 policy change to disable his VBA macros in documents downloaded from the internet forced malware groups such as Emotet and Qbot to rethink their strategies.

Kaloč explained that the loss of Emotet’s primary attack vector forced its operators to find other ways to compromise their targets. “Mealybug has begun experimenting with malicious LNK and XLL files. But by the end of 2022, Emotet operators will struggle to find new attack vectors as effective as VBA macros. In 2023, they ran three distinct malspam campaigns, each testing slightly different vectors and social engineering techniques,” says Kaloč. “However, the declining scale of attacks and the ever-changing approach may suggest dissatisfaction with the results.”

Emotet then started embedding decoys into MS OneNote. Despite warnings about potentially malicious content, many users still clicked on it.

Cyber ​​warfare escalates

Upon its return, Emotet received several enhancements. Notable changes include switching encryption schemes and introducing new obfuscations to protect modules. Since Emotet’s return, Emotet operators have invested heavily in strategies to evade detection and monitor botnets, introducing and improving multiple new modules to maintain profitability.

Mealybug not only hardened the Emotet malware to 64-bit architecture, but also added a lot of obfuscation to protect its modules. Of these new features, control flow flattening is particularly noteworthy, as it can significantly impede inspection and detection of critical components within Emotet’s modules.

Watch the following video to see what happens when a user is infected with Emotet.

Mealybug also implemented and enhanced a number of randomization techniques. The most notable of these are the randomization of the order of structure members and the randomization of instructions used to compute constants (constants are masked).

With a critical update in the last quarter of 2022, modules started using timer queues. Combining this advanced obfuscation with control flow flattening significantly complicates code analysis and execution flow tracing.

Emotet mainly spreads through spam emails and often deceives users with effective email thread hijacking techniques. Prior to its removal, Emotet utilized modules capable of extracting email and contact details from Outlook, namely Outlook Contact Stealer and Outlook Email Stealer. However, realizing that not everyone uses Outlook, Emotet expanded its targets after its removal to include Thunderbird, a free alternative email application.

Emotet has the ability to deploy a module known as the Thunderbird Email Stealer on infected computers. As the name suggests, this module excels at extracting emails. It sifts through incoming messages, specifically the Thunderbird files that store her MBOX-formatted messages, and exfiltrates data from various fields. These fields include sender, recipient, subject, date, and message content. All stolen information is then sent to a command and control (C&C) server for additional analysis and use.

We also introduced the Google Chrome Credit Card Stealer module that captures credit card information stored in the Google Chrome browser.

Emotet detections by ESET: January 2022 to June 2023 (Source – ESET)

According to ESET’s research, the Emotet botnet has been dormant since early April 2023, presumably searching for new effective attack vectors. From January 2022 to date, most of the attacks identified by ESET mainly targeted Japan (43%), Italy (13%), Spain (5%), Mexico (5%) and South Africa (4%). was targeted.

#Beware #Emotets #Surprising #Return #Cyberwarfare

Spread the love

Leave a Comment