Security news that informs and inspires

Emotet ‘Test’ Campaign Leverages OneDrive, XLL Files

By

A recent Emotet campaign with significant TTP changes reveal that attackers may be moving away from macros-based attacks given Microsoft’s recent plans to block VBA macros by default.

A recent, low-volume Emotet campaign exhibited marked changes from typical behaviors of the malware, causing researchers to speculate that the threat actor behind Emotet, TA542, is testing new tactics on a small scale before deploying them at a broader level.

The campaign uncovered by researchers with Proofpoint had several differentiators, including the use of OneDrive URLs rather than Emotet’s usual reliance on Microsoft Office attachments or URLs linking to Office files. The campaign also used XLL files, which are a type of dynamic link library (DLL) file that is designed to increase the functionality of Excel, rather than Emotet’s previous utilization of Microsoft Excel or Word documents that contain VBA or XL4 macros.

The new campaign’s lack of macros-enabled documents is interesting given Microsoft’s recent announcement that it plans to block VBA macros obtained from the internet by default, starting in April, as well as plans by the tech company to disable XL4 macros in 2021. Both of these changes by Microsoft would make it increasingly difficult for threat actors to rely on macros as part of their phishing or email-based attacks, with an end goal of delivering various malicious payloads or stealing sensitive data.

“The new activity observed by Proofpoint is a departure from their typical behaviors and indicates the group is testing new attack techniques on a small scale before adopting them for larger volume campaigns,” said researchers with Proofpoint on Tuesday. “Alternatively, these new TTPs may indicate that TA542 may now be engaged in more selective and limited attacks in parallel to the typical massive scale email campaigns.”

The Emotet campaign was also low volume, while previous attacks have distributed a high volume of emails to targets globally, with some attacks reaching one million messages total. The attack was first detected in mid-April, when TA542 is known to pause its typical high volume threat campaigns for what researchers call “a spring break.”

“Nevertheless, Proofpoint analysts attribute this activity with high confidence to threat actor TA542 because since 2014 the actor closely controlled the Emotet malware and is not rented it to other actors,” said researchers.

“Threat actor groups will continue to experiment, and early signs point toward XLL files being one direction the landscape may shift toward."

The emails, which were not sent by the Emotet spam module, were simple and contained subjects with one word titles, such as “Salary.” The bodies of the emails themselves contained no content beyond OneDrive URLs, which hosted zip files that contained Microsoft Excel XLL files. These zip archives and XLL files used similar lures as the email title, including “Salary_new.zip.” When executed, the XLL files ran Emotet leveraging the Epoch 4 botnet.

Emotet, which began as a banking trojan in 2014, eventually evolved to become a botnet that sent spam emails to victims, in order to install a collection of second-stage payloads (including TrickBot, QakBot and ZLoader) on their devices. In January 2021, law enforcement agencies with Canada, France, Germany, Lithuania, the Netherlands, Ukraine, the United Kingdom and the United States announced that they had cracked down on a network of hundreds of botnet servers that were supporting Emotet. Less than ten months later, in November 2021, Emotet returned with several slight changes, including ones to its communication protocol and the addition of XLS and XLM files as part of its initial delivery method. In January, researchers observed Emotet campaigns adopting a known technique - utilizing “unconventional” representations of IP addresses - for the first time, in order to avoid detection.

Sherrod DeGrippo, vice president of Threat Research and Detection with Proofpoint, said that threat actors that are agile and experienced, like TA542, will likely continue to experiment with other attack methods that don't rely on malicious macros. Organizations should be aware of these latest new techniques and ensure they are implementing defenses accordingly, she said.

"The Microsoft choice to make changes to default handling of macro documents has implications on the threat landscape and this could be a part of threat actors making decisions to leverage new attack chains that aren’t impacted by that decision," said DeGrippo. "Malicious macro documents are a large part of the threat landscape, but they’re not the only option. We regularly observe actors using container files like .iso’s, for example. Threat actor groups will continue to experiment, and early signs point toward XLL files being one direction the landscape may shift toward."