Emotet, recognized as one of the most notorious and persistent malware families in recent history, has re-emerged with notable alterations to its tactics, techniques, and procedures following a period of dormancy between late 2022 and March 2023.
This report aims to provide a comprehensive perspective on Emotet's activities and recent developments, offering cybersecurity professionals crucial insights needed to effectively counter this highly versatile and modular malware.
Humble Beginnings and Attribution
Initially surfacing as a relatively straightforward banking Trojan, Emotet primarily targeted financial institutions in Germany and Austria. This early version aimed to exfiltrate financial data by intercepting online banking sessions through man-in-the-browser (MITB) tactics. As Emotet continued to expand its capabilities and evolve, security researchers were able to attribute the malware's development to the threat group known as TA542, Mealybug, or MUMMY SPIDER. This group is thought to have ties to Russian-speaking threat actors; however, conclusive attribution to a specific nation remains uncertain.
By 2017, TA542 initiated an affiliate program, allowing other threat actors access to their robust malspam botnet and command-and-control infrastructure. Functioning as a Malware-as-a-Service platform, TA542 became the first group observed distributing the IcedID banking Trojan.
Since that time, Emotet has served as a delivery mechanism for various malware, including Trickbot, Qakbot, Gootkit as well as the Ryuk and Conti ransomware strains.
Technical Analysis of Recent Activity
TA542 presents a considerable threat to an extensive range of targets, encompassing small businesses, multinational corporations, and governmental agencies across Europe, the United States, and the APAC region. As the group broadens its focus in malspam botnet operations, it rapidly refines its modus operandi to excel in diverse environments while incorporating new capabilities.
In March 2023, security researchers observed a resurgence of Emotet malspam campaigns after a period of dormancy. These renewed campaigns were found to employ the previously identified "Red Dawn" template in conjunction with fraudulent invoice and U.S. tax-themed malspam.
A notable example of the latest U.S. tax-themed malspam campaign involves Emotet leveraging the W-9 form as a lure, enticing victims to download malicious Office documents. These emails are designed to impersonate communications from an "Inspector" at the Internal Revenue Service, with the sender's name displayed as "IRS Online Center."
During the early stages of this campaign in March, the emails featured a ZIP archive named "W-9 form.zip," which contained a highly obfuscated 500 MB Word document. This document was specifically designed to evade antivirus detection. However, as Microsoft implemented macro-blocking by default in their Office Suite, TA542 quickly adapted its tactics.
In response to Microsoft's security measures, TA542 shifted to using Microsoft OneNote documents embedded with VBScript files to install Emotet. This strategic adaptation demonstrates the group's persistence and resourcefulness in evading security controls and maintaining the effectiveness of their malspam campaigns.
The attached OneNote documents, often incorporating "W9" in their filenames, exhibit a comparable approach to previously observed techniques in Microsoft Word and Excel documents. These files prompt users to click a button to access the complete contents, a tactic consistent with earlier Emotet strategies.
In this particular attack chain, the OneNote file conceals a malicious Windows Script File (WSF) beneath the "View" button. When the target clicks the button, Wscript.exe is invoked to execute the embedded VBScript.
Upon deobfuscation, the VBScript functions as a downloader, facilitating the retrieval of the Emotet binary payload from what is likely a compromised website in the form of a .zip file. This downloader component demonstrates the adaptability and sophistication of Emotet malware campaigns, which are designed to bypass security controls and remain undetected.
The payload is typically encrypted and concealed within the .zip file, further complicating detection efforts by security solutions. Once downloaded, the payload is decrypted and extracted, revealing the Emotet binary in the form of a .DLL file.
Once the Emotet payload is downloaded, decrypted, and extracted as a DLL, the malware uses the "regsvr32.exe" utility to execute the DLL, which subsequently launches the malicious payload. This technique is known as "DLL side-loading" and is a common method used by threat actors to bypass typical security measures.
When the .DLL is executed, Emotet will communicate with its C2 infrastructure and communicate details about the newly compromised system.
Post Exploitation and Additional Payloads
To establish persistence on an infected system, Emotet will create an AutoStart registry key pointing to the binary located. This persistence enables the malware to maintain its presence and continue its malicious activities, such as exfiltrating sensitive information or deploying additional payloads.
Emotet's typical data exfiltration process involves collecting data, such as contacts, emails, and credentials, from the infected machine. The acquired emails and contacts are subsequently utilized by the malspam botnet to expand its target base. This includes the injection of malspam into existing email chains, further propagating the malware.
Security researchers have recently (Q4 2022-2023) seen Emotet drop the following additional payloads.
Cobalt Strike (for lateral movement)
Quantum ransomware
BlackCat ransomware
Defending against Emotet in 2023
Defending against the Emotet campaign requires a layered approach due to it's rapidly evolving nature. It continues to be one of the most notorious malware families in recent history and continues to present an ingoing challenge for defenders.
Effectively defending against Emotet and its recent campaigns requires a multi-layered approach that encompasses the following strategies:
User Awareness and Training: Establish a robust Security Awareness Program within your organization, as it serves as the first line of defense against email-based attacks. Emphasize the importance of recognizing phishing emails, malicious tactics, and other social engineering techniques employed by TA542.
Email Filtering and Spam Protection: Implement strong email filtering and spam protection measures to minimize the probability of Emotet-related malspam reaching users' inboxes. Be vigilant for emails containing large files or attachments, as these have been commonly associated with previous campaigns.
Scripting Monitoring and Restriction: Closely monitor the usage of PowerShell and other scripting languages within your organization, imposing execution restrictions where necessary. Emotet is known to exploit these tools during the infection process, so limiting their usage can help mitigate potential threats.
Application Whitelisting: Employ application whitelisting solutions to control which applications are permitted to execute on your organization's systems. This precaution can help prevent unauthorized or malicious applications, such as Emotet and its associated payloads, from running on endpoints.
Indicators of Compromise
ac8f0db9fd6a91a765aeeed5eafd7a19ad2e37362f6d3468a386ee8a9f4dc7e5 erkaradyator[.]com[.]tr sachininternational[.]com ardena[.]pro panel[.]chatzy[.]in hospedagemdesites[.]ws esentai-gourmet[.]kz 188[.]132[.]217[.]107 209[.]126[.]85[.]32