The Emotet malware has returned after a four-month hiatus in a high-volume malicious email campaign. The campaign contains several marked differences that researchers say may reflect new operators or management behind the malware.
Since early November, researchers with both Cisco Talos and Proofpoint have observed the malware being distributed via hundreds of thousands of malicious email campaigns daily, which continue to target organizations in the U.S. as well as other countries. Emotet has regularly adopted various new tactics after returning in 2021, nearly ten months after law enforcement disrupted its infrastructure in an international coordinated operation.
“Proofpoint expects that the actor will continue to evolve, with potential for higher email volumes, more geographies targeted, and new variants or techniques of attached or linked threats,” said Pim Trouerbach and Axel F, researchers with Proofpoint, in a Wednesday analysis. “Additionally, given the observed changes to the Emotet binary, it is likely to continue adapting as well.”
The November campaigns do have several similarities to Emotet attacks last observed in July. For instance, the malicious emails used in attacks continue to mostly rely on generic lures, including ones that are IRS-themed, as well as thread hijacking techniques and language localization to trick targets. However, multiple changes have also been made to both Emotet and its payloads, including the modules, loader and packer.
While the campaign emails contain Excel attachments, as previously observed in Emotet attacks, these Excel files now come with instructions for targets to copy the file to a Microsoft Office Template location and run it from there instead. For threat actors this tactic cuts out the headache of convincing users to "enable macros," but the extra step still adds complexity to the attack as the user must have Administrative privileges. Researchers said it is currently unclear how effective this technique is.
“This is a trusted location and opening a document located in this folder will cause immediate execution of the macros without any warnings or interactions from the user needed,” said researchers. “However, while moving a file to a template location, the operating system asks users to confirm and that administrator permissions are required to do such a move.”
“Proofpoint expects that the actor will continue to evolve, with potential for higher email volumes, more geographies targeted, and new variants or techniques of attached or linked threats."
Changes to the Emotet loader itself include new commands in addition to the existing ones for updating the bot and loading modules and executables. Emotet now supports commands to load the executable via regsvr.exe and invoke rundll32.exe with a randomly named DLL and the export PluginInit.
In addition, "one of the biggest changes made to the unpacked loader itself was the reimplementation of the communications loop,” said researchers. “The old version used a sleep to determine how often requests were made to the C2 servers. The new version utilizes the windows API CreateTimerQueueEx. This API takes a callback function which is called after an initial duration and then after a set period in a loop.”
Post infection, Emotet has also started dropping a new variant of the known IcedID loader. This new version omits IcedID’s previous typical functionalities for exfiltrating system data, leading researchers to believe that the loader is being deployed to already-infected machines where there is no need to check on a system profile.
The new variant has also added new commands to its existing ones around getting stored browser credentials, browser cookies, running processes and more. These new commands include the ability to send internal IcedID logs, read and search for files and send contents to the command-and-control (C2), and may indicate a higher priority being placed on the IcedID bots that are running on Emotet machines, said researchers.
IcedID has previously been leveraged as a follow-on payload to Emotet infections, however, researchers said that the addition of these commands could indicate a change of ownership or a strengthened relationship between Emotet and IcedID. Overall, the return of the TA542 threat group behind Emotet, in conjunction with the delivery of IcedID, “is concerning” and in many cases these infections can lead to ransomware, said researchers.
“Emotet dropping IcedID marks Emotet as being in full functionality again, by acting as a delivery network for other malware families. Emotet has not demonstrated full functionality and consistent follow-on payload delivery (that’s not Cobalt Strike) since 2021, when it was observed distributing The Trick and Qbot,” said researchers.