What just happened? The Emotet botnet was dead, or so researchers thought. The malicious network is now back in business with a new phishing campaign, exploiting a novel technique to push users and companies to infect themselves.
After a 4-month hiatus, Emotet is again active as one of the most dangerous botnet operations out there. Cyber-criminals are using the network to spread malicious software and other potential infections, with a new trick designed to bypass protections in Microsoft Office applications.
Emotet was considered one of the most widespread infections until July 2022, when the network suddenly stopped spamming campaigns and third-party malware distribution. Now, the botnet is back in “distribution mode,” according to the research group Cryptolaemus.
🚨Emotet back in Distro Mode🚨 – As of 0800 UTC E4 began spamming and as of 0930 UTC E5 began spamming again. Looks like Ivan is in need of some cash again so he went back to work. Be on the lookout for direct attached XLS files and zipped and password protected XLS. 1/x
— Cryptolaemus (@Cryptolaemus1) November 2, 2022
The infamous Emotet botnet began spamming again on November 2nd, with a new email phishing campaign targeting stolen email reply chains. The network is now distributing malicious Excel attachments, sending them to users speaking different languages while pretending to be invoices, scans, forms, and other engaging “baits.” The malware can also be Zip archives or password-protected XLS spreadsheets.
Emotet’s latest campaign brings a new tool to the botnet’s arsenal –an Excel template that includes instructions on bypassing Microsoft’s Protected View technology. Protected View marks files from the internet with a “Mark-of-the-Web” flag, which instructs Office applications to open said files in protected mode, thus avoiding direct execution of the attached macros.
The instructions in the malicious spreadsheet advise users to copy the file into one of the “trusted” Template folders of Microsoft Office. When opened from trusted locations, the malicious document will bypass Protected View executing the included macros and spreading the Emotet infection.
The new Emotet malware downloads in Dll form and executes on the system using the legitimate Regsvr32.exe tool. Once active, Emotet sits quietly, waiting for instructions from the botnet’s command & control server. For now, the network doesn’t seem to drop additional malicious payloads as it did before its vanishing act.
One of the most notorious features of Emotet has always been the ability to work in partnership with other malicious operations, spreading dangerous malware like TrickBot, Cobalt Strike, and others. In the past, Emotet was a powerful force behind ransomware attackers like Ryuk, Conti, BlackCat, and Quantum. The botnet provided initial access to already infected networks and devices for easier ransomware spreading.