On July 13th, 2022, Emotet suddenly stopped spamming in what appears to be a move to protect its victims. It was then considered the most distributed malware. After almost a four-month break from malicious email spamming, the Emotet malware operation has returned to the scene.
A new version of Emotet has been detected.
Emotet use a malicious DLL file that is distributed through phishing emails containing malicious Excel or Word documents. When recipients open these files and enable macros, Emotet will be downloaded and installed on their machines. A malware infection will seek out and steal emails in order to use them in future spam campaigns or drop Cobalt Strike or other malicious programs that frequently result in ransomware infections.
On November 2nd, at about 4:00 a.m. EST, members of the Emotet research group Cryptolaemus reported that the Emotet operation had suddenly come alive again, spamming email addresses all over the world.
Today’s Emotet campaign includes a new Excel attachment template that tells the recipient how to turn off Microsoft’s Protected View. When a file is downloaded from the Internet, including as an email attachment, Microsoft will add a special Mark-of-the-Web (MoTW) flag to the file. This flag informs Microsoft that the file should be treated with extra care.
Mark of the Web Bypass by Emotet malware
When a Microsoft Office document containing a MoTW flag is opened, Microsoft Office will open it in Protected View, preventing macros from installing malicious software. In the new Emotet Excel attachment, you can see that the threat actors are instructing users to copy the file into the trusted ‘Templates’ folders, as doing this will bypass Microsoft Office’s Protected View even for files containing a MoTW flag.
Attempting to copy a file into the ‘Templates’ folder while Windows warns users that it requires ‘administrator’ privileges indicates that users are likely to click ‘Continue.’ The Emotet malware is downloaded when the attachment is opened from the ‘Templates’ folder. The Emotet malware is downloaded as a DLL into multiple random-named folders under %UserProfile%\AppData\Local.
The DLL is installed in a random folder in %LocalAppData% and launched using the regsvr32.exe command, which is used to register DLLs. The malware will connect to the Command and Control server for further instructions or to install additional payloads in the background while running via Regsvr32.exe once it has been downloaded.
An initial intrusion vector to watch closely
Emotet infections have not begun dropping additional malware payloads on infected devices yet. Previously it has installed Trickbot malware or Cobalt Strike beacons. Ransomware groups start by using Cobalt Strike beacons to gain initial access on the network, steal data, and encrypt devices.
Ryuk and Conti ransomware gangs were given initial access to corporate networks through Emotet infections in the past. Emotet was partnering with BlackCat and Quantum ransomware operations to gain access to already infected devices after Conti’s shutdown in June.