The Emotet malware operation continues to refine its tactics to stay under the radar while also acting as a conduit for other dangerous malware such as Bumblebee and IcedID.
Emotet officially revived in late 2021 after authorities systematically shut down its infrastructure in early 2021, but remains a persistent threat distributed via phishing emails.
Originating from a cyber criminal group tracked as TA542 (aka Gold Crestwood or Mummy Spider), the virus has evolved from a banking Trojan to a malware distributor since its first appearance in 2014.
Malware as a Service (MaaS) is also modular, allowing the deployment of a set of proprietary and freeware components that can steal sensitive information from compromised machines or perform other post-exploitation activities.
Two of the latest additions to Emotet’s modular arsenal are an SMB spreader designed to facilitate lateral movement using a list of hardcoded usernames and passwords, and a credit targeting the Chrome web browser. Consists of card stealers.
Recent campaigns involving botnets have utilized common lures with weaponized attachments to initiate attack chains. However, as macros are becoming an outdated method of payload distribution and initial infection, attacks have resorted to other methods, allowing Emotet to evade malware detection tools.
In a report published last week, BlackBerry said, “The latest wave of Emotet spam emails include attached .XLS files containing new ways to trick users into downloading droppers with macros.” A new Emotet variant has moved from 32-bit to 64-bit as another way to avoid detection.”
In this method, the victim is instructed to move a decoy Microsoft Excel file to the Windows default Office Templates folder (a location trusted by the operating system), and Emotet is launched by running a malicious macro embedded in the document. Deliver.
This development marks Emotet’s steady attempt to modify itself and spread other malware such as Bumblebee and IcedID.
“During steady evolution over the past eight years, Emotet continues to become more sophisticated in terms of evasion tactics. We do,” said the cybersecurity firm.
