Emotet Malware Returns with 100K Daily Emails, New Evasion Tactics

December 31, 2020 - The notorious Emotet trojan malware variant has reemerged after a two month lull. The hackers behind the attacks added new evasion tactics and are sending more than 100,000 emails a day, according to recent reports from Cofense and Malwarebytes.

Emotet has been around for several years, and its hackers will commonly partner with other cybercriminals for multi-leveled attacks. Previous iterations have been paired with the TrickBot Trojan, as well as Ryuk, which has wreaked havoc on the healthcare sector in the past.

Throughout the year, Emotet has typically launched massive email campaigns followed by a lull in attacks for about two months. The last surge in attacks were seen in early October being executed in phases, including compromises over port 445.

Emotet is one of the largest senders of malicious emails during its active stages, according to Cofense.

“Emotet has a few primary functions. It acts as an information stealer, harvesting credentials, contact lists and email content from an infected machine,” Cofense explained. “It adds the contacts to its target list, and builds and sends authentic-looking emails using the stolen email content.” 

“Finally, it can deliver other malware as a secondary payload, often leading to separate attacks such as ransomware,” they added.

The latest campaign was detected in the wild just before Christmas with the hackers continuing to alternate between different phishing lures in social-engineering attacks, Malwarebytes explained.

Emotet is also now loading its payload as a DLL combined with a fake error message. Malwarebytes spotted some of the malicious emails leveraging COVID-19-related lures, as well, which could be related to the vaccine rollouts.

What’s concerning is that the latest campaign has added new evasion tactics designed to make successful Emotet infections harder for security leaders to detect. 

The document attached to the emails still claims to be a protected doc that requires macros to be enabled before the user can view it. Further, the document continues to leverage a malicious macro to install the virus.

Previously, Emotet would not provide the user with any visible response after the macros were enable, which could have raised suspicions. The newest version creates a dialog box after the macros are downloaded that tells the user there was an error with Microsoft Word that prevented the file from being opened.

“This gives the user an explanation why they don’t see the expected content, and makes it more likely that they will ignore the entire incident while Emotet runs in the background,” Cofense explained.

The hackers have also updated the malware variant with an .exe extension. Emotet was previously a standalone executable file. The latest version is now a DLL file initialized with the rundll32.exe program built into Windows.

The malware’s command-and-control communication was also updated to leverage binary code instead of plain text. All of these updates make it difficult for administrators to detect a successful compromise.

“Emotet’s active periods have been unpredictable, and its authors have made an effort to adapt both the email campaigns and the malware to spread more effectively,” Condense concluded.

Previous federal alerts on Emotet have encouraged organizations to apply industry-standard mitigation strategies to strengthen their overall cybersecurity posture. Administrators should ensure to block email attachments commonly used in malware attacks, such as .exe and .dll, as well as those that can’t be scanned by antivirus software.

Entities should also implement group policy object and firewall rules, a formalized patch management process, and an antivirus program, while ensuring filters are implemented at the email gateway and blocking suspicious IP addresses at the firewall.

Further mitigation tactics include employing the principle of least privilege, segmenting and segregating networks and functions, limiting unnecessary lateral communications. All endpoints should employ strong password policies or active directory authentication.