Notorious botnet Emotet is reportedly testing out new attack methods that bypass new Microsoft protections against Macros in Office documents and leverage OneDrive URLs and PowerShell.
The Emotet botnet began its reemergence in November 2021 after its January 2021 takedown by a multinational coalition of law enforcement, with the group associated with the botnet targeting “thousands of customers with tens of thousands of messages in multiple geographic regions,” with some message volumes reaching over 1 million per campaign, according to cybersecurity firm Proofpoint. However, the newly discovered Emotet activity suggests that the Emotet group is testing new techniques on a smaller scale and in a more selective, targeted nature— a departure from its typical massive scale email campaigns.
According to Proofpoint, the firm detected a low volume of emails distributing the Emotet malware via compromised sender emails not sent by the Emotet spam module. Email subject lines contained one word, such as “Salary” with bodies containing only OneDrive URLs that hosted zip files containing Microsoft Excel Add-in (XLL) files.
In its analysis of the newly discovered campaign, Proofpoint says the zip archives and XLL files used the same lures as the email subject lines, with one archive containing four copies of the same XLL file with names such as “ “Salary_and_bonuses-04.01.2022.xll.” When those files are executed, they drop and run Emotet, leveraging the Epoch 4 botnet.
The low-volume nature of the activity, the use of OneDrive URLs and XLL files set this campaign apart from historic Emotet campaigns marked by a high volume of emails and Microsoft Office documents containing VBA or XL4 macros.
Microsoft in February announced that it would be disabling VBA macros for Office apps by default to help prevent malware deployments to unwitting end users, covering Access, Excel, PowerPoint, Visio and Word on Windows devices. Those changes began rolling out earlier this month.
With Office macros no longer a reliable distribution vehicle for malware, this new Emotet campaign suggests that threat actors are adapting their techniques and finding new ways to attack victims.
Proofpoint says this low-volume campaign began during a quiet period for Emotet earlier this month, using a break from its high-volume campaigns to test this new attack vector and others.
Also this week, security researchers have discovered another new Emotet attack vector that uses PowerShell in LNK attachments instead of Office macros.
According to Slovakia-based cybersecurity company ESET, if a victim is tricked into downloading and running the attachment, the Emotet binary (.DLL) is downloaded and executed.
#BREAKING Another day at #ESETresearch, another #Emotet campaign with a new technique. Instead of the usual Office macros, operators use PowerShell in LNK attachments – filename “form.lnk”. If the victim runs the file, Emotet binary (.DLL) is downloaded and executed. 1/4 pic.twitter.com/iLzFl5t8M5
— ESET research (@ESETresearch) April 26, 2022