Emotet, An infamous banking trojan-based malware family with a sophisticated attack background, returns with a new attack strain via XLS documents using targeted phishing emails and delivers the new IcedID and Bumblebee payloads.
Emotet built its infrastructure over the year and started its aggressive attack in later 2021, also becoming highly active in a short period.
Emotet is considered a kind of malware family among the malware research community due to its footprint and aggressive distribution method for a long while since 2014, and the TA542 APT attackers are behind the Emotet malware.
It was developed to steal sensitive and private information from various sectors, including Educational institutes, government, defense, IT, Telecom, and also millions of individuals around the globe.
Researchers from Proofpoint observed that Emotet is continuously launching a high volume of emails and expanding the targets to more geographics by employing new TTPs.
Here is the new Emotet strain behavior:
- New Excel attachment visual lures
- Changes to the Emotet binary
- IcedID loader dropped by Emotet is a light new version of the loader
- Reports of Bumblebee dropped in addition to IcedID
Emotet Infection Process:
The newly launched Emotet campaign has been observed sending hundreds of thousands of malicious emails every day, and the historic attempts were millions of emails that spiked last April.
This recent campaign’s high volume of email attacks targeted several countries including the United States, United Kingdom, Japan, Germany, Italy, France, Spain, Mexico, Brazil, and more.
Further analysis reveals that the email comes with a malicious attachment andTA542 group is believed to be launched in this mass email campaign along with password-protected Zip that contains an embedded Excel file.
Excel file contains the macros that can be enabled by tricking users and downloading the Emotet payload from several built-in URLs.
An interesting part is that the file contains instructions for victims to copy the file to a Microsoft Office Template location and run it from there.
Because this pointed location is highly trusted, so opening files from this particular location causes the immediate execution of macros without any sort of warnings and intervention.
But one check here is that the OS will interrupt users to grant the admin permission for further moves.
“It remains unclear how effective this technique is. While there is no longer a need for users to enable macros with an extra click, there is instead a need to perform a file move, acknowledge the dialog, and the user must have Administrator privileges”, Proofpoint researchers said.
Comparatively, Emotet returned there were quite a few differences in the botnet of the following:
- New commands
- New implementation of the communication loop
- The new check-in packet format
- New packer used
During the post-infection, Emotet delivers the new variant of the IcedID loader that is brand new and believed to be under development.
IcedID was observed as two-stage malware in which the first stage initiates the request to download the second stage. Also, the standard IceID malware was developed to exfiltrate the system information through cookies in the request to the loader C2.
“Emotet dropping IcedID marks Emotet as being in full functionality again, by acting as a delivery network for other malware families.
TA542’s return coinciding with the delivery of IcedID is concerning. IcedID has previously been observed as a follow-on payload to Emotet infections”, Researchers said.
Penetration Testing As a Service – Download Red Team & Blue Team Workspace