• XRATOR
  • Our Experts
  • Contact Us
  • Privacy & Policy
Conquer your risk
  • Home
  • Articles
  • News
  • Research
  • State of the art
No Result
View All Result
  • Home
  • Articles
  • News
  • Research
  • State of the art
No Result
View All Result
Conquer your risk
No Result
View All Result
Home Malware

Emotet botnet restarts its malicious operation

After four months of inactivity, the Emotet botnet has restarted its malicious activities using an innovative modus operandi.

Gwendal SmithbyGwendal Smith
November 7, 2022
in Cyber Attacks, Cybercrime, Malware, News, Threat Intelligence
0
After four months of inactivity, the Emotet botnet has restarted its malicious activities using an innovative modus operandi.

On July 13th, 2022, Emotet suddenly stopped spamming in what appears to be a move to protect its victims. It was then considered the most distributed malware. After almost a four-month break from malicious email spamming, the Emotet malware operation has returned to the scene.

A new version of Emotet has been detected.

Emotet use a malicious DLL file that is distributed through phishing emails containing malicious Excel or Word documents. When recipients open these files and enable macros, Emotet will be downloaded and installed on their machines. A malware infection will seek out and steal emails in order to use them in future spam campaigns or drop Cobalt Strike or other malicious programs that frequently result in ransomware infections.

On November 2nd, at about 4:00 a.m. EST, members of the Emotet research group Cryptolaemus reported that the Emotet operation had suddenly come alive again, spamming email addresses all over the world.

Today’s Emotet campaign includes a new Excel attachment template that tells the recipient how to turn off Microsoft’s Protected View. When a file is downloaded from the Internet, including as an email attachment, Microsoft will add a special Mark-of-the-Web (MoTW) flag to the file. This flag informs Microsoft that the file should be treated with extra care.

Mark of the Web Bypass by Emotet malware

When a Microsoft Office document containing a MoTW flag is opened, Microsoft Office will open it in Protected View, preventing macros from installing malicious software. In the new Emotet Excel attachment, you can see that the threat actors are instructing users to copy the file into the trusted ‘Templates’ folders, as doing this will bypass Microsoft Office’s Protected View even for files containing a MoTW flag.

Attempting to copy a file into the ‘Templates’ folder while Windows warns users that it requires ‘administrator’ privileges indicates that users are likely to click ‘Continue.’ The Emotet malware is downloaded when the attachment is opened from the ‘Templates’ folder. The Emotet malware is downloaded as a DLL into multiple random-named folders under %UserProfile%\AppData\Local.

The DLL is installed in a random folder in %LocalAppData% and launched using the regsvr32.exe command, which is used to register DLLs. The malware will connect to the Command and Control server for further instructions or to install additional payloads in the background while running via Regsvr32.exe once it has been downloaded.

An initial intrusion vector to watch closely

Emotet infections have not begun dropping additional malware payloads on infected devices yet. Previously it has installed Trickbot malware or Cobalt Strike beacons. Ransomware groups start by using Cobalt Strike beacons to gain initial access on the network, steal data, and encrypt devices.

Ryuk and Conti ransomware gangs were given initial access to corporate networks through Emotet infections in the past. Emotet was partnering with BlackCat and Quantum ransomware operations to gain access to already infected devices after Conti’s shutdown in June.

Tags: BotnetInitial Access BrokerIntrusion VectorModus Operandiransomware

Categories

  • Cybercrime
  • Malware
  • Vulnerability & Weakness
  • Threat Intelligence
  • Cyber Attacks
  • Cybersecurity
  • Offensive Security
  • Risk Management
  • Cyberdefense
  • Cyber Insurance

Popular News

  • The H-Factor: Turning Human Into The Strongest Link Of Your Cybersecurity Strategy

    The H-Factor: Turning Human Into The Strongest Link Of Your Cybersecurity Strategy

    0 shares
    Share 0 Tweet 0
  • Understanding and Mitigating the Risk of Computer Memory Exploitation

    0 shares
    Share 0 Tweet 0
  • Three Social Impacts of Ransomware Operations

    0 shares
    Share 0 Tweet 0
  • Methods to Conduct an Insider Threat Risk Assessment

    0 shares
    Share 0 Tweet 0
  • Why Lockbit does fake cyberattacks ?

    0 shares
    Share 0 Tweet 0

"Conquer Your Risk" is a corporate blog for Cybersecurity and Risk Management executives and specialists, sharing XRATOR experts' views on Cybersecurity, Threat Intelligence, Risk Management and Cyber Insurance.

Categories

  • Articles
  • Cyber Attacks
  • Cyber Insurance
  • Cybercrime
  • Cyberdefense
  • Cybersecurity
  • Malware
  • News
  • Offensive Security
  • Research
  • Risk Management
  • Scams
  • State of the art
  • Threat Intelligence
  • Vulnerability & Weakness

Quick Links

  • XRATOR
  • Our Experts
  • Privacy Policy
  • Contact Us

XRATOR® – copyright 2020-2021

No Result
View All Result
  • Contact Us
  • Homepages

© 2018 JNews by Jegtheme.

Manage Cookie Consent
We use cookies to optimize our website and our service.
By closing this windows, you automatically deny non-functionals cookies.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
Preferences
{title} {title} {title}
Manage Cookie Consent
We use cookies to optimize our website and our service.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
Preferences
{title} {title} {title}