Emotet is back from vacation

Emotet has sprung back up as one of the most dangerous malware, and there’s no one tool you can install to sleep tight at night.

In January 2021, Europol disrupted what it called one of the most professional and long-lasting cybercrime services out there. We were under the impression that Europol “had control over the botnet to neuter it” – law enforcement was distributing anti-malware code via Emotet that essentially acted as a self-destruct button for the poisonous botnet.

However, this spring, many cybersecurity companies pointed out that an advanced, self-propagating, modular Trojan is back. For example, Check Point Research said that Emotet dominated its monthly top malware charts, impacting around 7% of organizations globally.

It seemed to be on vacation in the middle of summer, with a 50% reduction in its global impact this July.

However, holidays didn’t last long, and Emotet, typically distributed via email, has found new ways to avoid detection and is once again among the most dangerous malware.

Worrying trend

Recently, many cybersecurity companies have observed an increase in Emotet operations. For example, Cyderes has seen a significant uptick over the last 60 days. This is highly concerning, given that Emotet uses functionality to evade detection.

"Earlier this year, Emotet was attacking Japanese victims using hijacked email threads and then using those accounts to trick victims into opening attachments with malicious embedded macros. One of the more troubling behaviors of this "new and improved" Emotet is its effectiveness in collecting and utilizing stolen credentials, which are then being weaponized to further distribute the malware," John Ayers, VP of Offensive Security at Cyderes, told Cybernews.

Phishing prevention company Cofense has witnessed an uptick in Emotet-related phishing attempts this week and assesses this might give a start to a new round of high-volume phishing coming from the Emotet botnet.

"Because Emotet acts as a loader for other malware, the greater potential impact to any compromised organizations comes from the malware that Emotet will subsequently drop on infected systems, which could include anything from information stealers to reconnaissance tools prefacing ransomware attacks," Joe Gallop, cyber threat intelligence manager of Cofense, told Cybernews.

During times of silence, Emotet developers have been known to evolve their tactics to impair security defenses. So every time it's back from silence, there's a new twist to it.

"When it is actively sending emails, Emotet makes most other phishing threat activity sets appear minuscule by comparison of volume," Gallop said.

He noted that despite its massive volume over the past year, Emotet had not been the most successful in bypassing email gateways to reach inboxes.

However, internal Cybernews intel and tests indicate that quite some antivirus programs don't yet detect the new Emotet variant, which is worrisome.

"It's interesting to see the resurrection of Emotet with new and improved evasion and persistence mechanisms and what implications it will have. It is paramount to exercise caution when receiving emails with attachments. In case of the reappearance of Emotet - excel documents with malicious payloads that pretend to be invoices or some other important documents. Emotet employs social engineering to exploit people to gain initial access, which is then used or sold by access brokers to deploy other malware or used for botnets," Mantas Sasnauskas, Head of Research at Cybernews, said.

Neverending battle

Emotet is flexing its muscles yet again. Proofpoint researchers have observed it "delivering what seems to be a development build of a new IcedID Loader." IceID, also known as BokBot, is a modular banking trojan and historically has arrived in victims' email boxes as a Word document containing macros.

Emotet has also moved from a 32-bit code base to a 64-bit code base to evade detection.

"Filtering processes for those running a 32-bit code base reduces the candidates to check out for any antivirus or endpoint detection and response tool, which is a rather benign reason for that move. Another worrying reason is that the group behind Emotet is moving its platform to a future-proof one. It's a sign of investment indicating that the group has larger plans for this tool," Dirk Schrader, VP of Security Research at IT software company Netwrix, told Cybernews.

He believes it is pretty likely that Emotet developers' plans include some form of as-a-service to compete with others. The ability to steal credit card data shows Emotet's expansion.

"Even if an organization has all the means and tools in place to detect Emotet today, tomorrow's game will be different. With the reactive nature of detection, it needs to know what to look for. Any change happening to Emotet's abilities needs to be tracked down, incorporated into detection, and distributed to customers of any security tool vendor. Adding to that, having information from research around the evolving TTPs of Emotet is a must for the threat intelligence used by organizations," Schrader added.

No panacea

According to Jorges Mieres, a Senior Threat Researcher at security company Fortra, Emotet attempts to collect payment card data stored in Google Chrome browsers (and potentially other browsers). Its other module is aimed at exploiting the benefits provided by the SMB (Server Message Block) protocol when organizations share internal resources.

Both Mieres and Schrader share a belief there will never be a 100% solution to protect against Emotet or, for that matter, any other malware, given that they are constantly evolving.

“In parallel, there is a fundamental component within any security process that is not always considered in its proper measure: the human factor. Emotet and other threats try to exploit the human factor in the first instance. Take e-mail as an example of a common entry point for cyber-attacks. The security tool is designed to detect these malicious e-mails, but if one should get through, then employees need to be aware that a spear phishing e-mail containing attachments or malicious links embedded in the body of the message needs to be reported and not opened or clicked on,” Mieres said.

Daniel Hofmann, CEO at Hornetsecurity, shared some advice to mitigate the risks:

1. Since Emotet often hides in Microsoft Office files and needs macros to install malicious programs, it makes sense not to allow them. In private and most business areas, they are not required. If you still cannot do without macros, it is possible only to enable those that are signed.

2. Any security updates deployed must be installed immediately for operating systems, anti-virus programs, web browsers, e-mail clients, and Office programs.

3. Regular data backups are recommended.

4. Vigilance is the top priority: even with supposedly known senders, you should be careful with file attachments to e-mails, especially Office documents and the links they contain. When in doubt, it is advisable to seek direct contact with the sender of a suspicious e-mail and check the credibility of the content.

5. Access to the company’s network should be continuously monitored, so it can be determined in good time whether an Emotet infection has occurred.