The notorious Emotet malware operation has returned to its malicious ways following a three-month break. Emotet is a malware distributed through email containing malicious Microsoft Word and Excel document attachments.
When users open these documents and macros are enabled, the Emotet DLL will be downloaded and loaded into memory. Once Emotet is loaded, the malware will sit quietly, waiting for instructions from a remote command and control server.
Eventually, the malware will steal victims’ emails and contacts for use in future Emotet campaigns or download additional payloads such as Cobalt Strike or other malware that commonly leads to ransomware attacks.
The malware had gradually slowed down, with its last spam operation seen in November 2022. However, the spamming only lasted two weeks.
The return of Emotet
Emotet-tracking group Cryptolaemus has warned that the Emotet botnet had resumed sending emails. Cybersecurity firm Cofense confirmed the spam campaign began at 7:00 AM ET, with current volumes remaining low.
The threat actors are using emails that pretend to be invoices, and the ZIP archives containing inflated Word documents are over 500 MB in size. They are padded with unused data to make the files larger and harder for antivirus solutions to scan and detect them as malicious.
These Microsoft Word documents use Emotet’s ‘Red Dawn’ document template, prompting users to enable content on the document to see it correctly.
The malware is only detected by one security vendor out of 64 engines, with that vendor only detecting it as ‘Malware.SwollenFile’. Once running, the malware will run in the background, awaiting commands, which will likely install further payloads on the device.
These attacks commonly lead to data theft and full-blown ransomware attacks on breached networks. Cofense says that they have not seen any additional payloads being dropped now, and the malware is just collecting data for future spam campaigns.
However, recent changes by Microsoft may impede Emotet’s success. In July 2022, Microsoft finally disabled macros by default in Microsoft Office documents downloaded from the Internet.
Due to this change, users who open an Emotet document will be greeted with a message stating that the macros are disabled because the source of the file is not trusted.
Overall, the return of the Emotet malware operation after a three-month break is concerning as it is a notorious malware that has caused significant damage in the past.
Help from Microsoft
While recent changes by Microsoft may hinder Emotet’s success, the malware is still capable of causing harm to devices worldwide. The use of emails that pretend to be invoices, padded ZIP archives, and the ‘Red Dawn’ document template are some of the tactics used by Emotet to evade detection.
Although the current spam campaign’s volumes remain low, the malware is collecting data for future spam campaigns, leading to the possibility of full-blown ransomware attacks on breached networks. It is essential for individuals and organizations to stay vigilant and take measures to protect themselves from Emotet and other malware.
