In 2021, the network around Emotet was broken up. But that doesn't mean that Emotet has completely disappeared from the web. On the contrary: there are always signs that the group around Emotet is looking for new avenues of attack.
Since its return, Emotet has appeared in several spam campaigns. Mealybug, the hacker group behind the botnet, has developed numerous new modules and revised existing ones. The masterminds behind Emotet learned a lot from the takedown two years ago and invested a lot of time in preventing their botnet from being discovered.
Emotet's infrastructure is dead - the malware lives
In its last operation, targets in Italy, Spain, Japan, Mexico and South Africa were attacked. Since April 2023 the activities of Emotet have been suspended. The ESET researchers suspect that the hackers are looking for new attack vectors.
“Emotet spreads via spam emails. The malware can steal sensitive information from compromised computers and inject third-party malware onto them. The operators of Emotet are not very picky about their goals. They install their malware on the systems of individuals as well as companies and larger organizations,” says ESET researcher Jakub Kaloč, who helped with the analysis.
Emotet had to find new attack vector
From late 2021 to mid-2022, Emotet spread mainly via VBA macros in Microsoft Word and Excel documents. In July 2022, Microsoft changed the game for all malware families like Emotet and Qbot - which had used phishing emails with malicious documents as a propagation method - by disabling VBA macros in documents pulled from the Internet.
“The shutdown of Emotet's main attack vector prompted its operators to look for new ways to compromise their targets. Mealybug started experimenting with malicious LNK and XLL files. However, as 2022 drew to a close, Emotet operators struggled to find a new attack vector as effective as VBA macros. In 2023, they ran three different malspam campaigns, each testing a slightly different route of intrusion and a different social engineering technique,” explains Kaloč. "However, the shrinking scope of attacks and constant changes in approach may indicate dissatisfaction with the results." Emotet later embedded a decoy in Microsoft OneNote. Despite warnings upon opening that this action could result in malicious content, users clicked on it.
Criminals continue to develop Emotet
After its reappearance, Emotet received several upgrades. The most notable features were that the botnet changed its cryptographic scheme and implemented several new obfuscations to protect its modules. Since their return, Emotet operators have made significant efforts to prevent their botnet from being monitored and tracked. Also, they have implemented several new modules and improved existing modules to stay profitable.
Emotet is distributed via spam emails. People often trust these messages because criminals successfully use special techniques to hijack conversation histories in emails. Before the takedown, Emotet used modules we call Outlook Contact Stealer and Outlook Email Stealer, which were able to steal emails and contact information from Outlook. However, since not everyone uses Outlook, after returning Emotet also focused on a free alternative email application: Thunderbird. Furthermore, it started using Google Chrome Credit Card Stealer module, which steals credit card information stored on Google Chrome browser.
According to ESET telemetry and the impression of the researchers, the Emotet botnets have been quiet since the beginning of April 2023. This is likely due to finding a new effective attack vector. Japan (2022%), Italy (43%), Spain (13%), Mexico (5%) and South Africa (5%) were targeted for most of the attacks detected by ESET since January 4 to date.
More at ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.