Notorious Botnet Uses Zip Bombing Techniques to Evade Detection
Emotet is a well-known Banking Trojan that is commonly distributed through spam emails containing malicious attachments. After opening the email attachments, the malware is downloaded and loaded into the device’s memory, where it eventually receives commands from a remote Command and Control (C&C) server. It also steals the victim’s emails, and contacts, which are used for future emote spam campaigns, and can also download other payloads like Cobalt Strike, frequently leading to ransomware attacks.
Emotet was once the most widespread malware, but it has been gradually losing momentum, and its previous spam campaign in November 2022 lasted only two weeks. Nonetheless, after three months of inactivity, the Emotet botnet has returned to sending malicious emails and infecting devices worldwide by rebuilding its network. On March 7th, at 8:00 am EST, the botnet resumed sending malicious emails and was infecting users worldwide.
A tweet by the security researcher Cryptolaemus on March 7th indicated that Emotet had resurfaced and was using Epoch4 servers to distribute spam emails containing malicious document attachments that exceeded 500MB in size. Based on our intelligence observed between March 7th and March 9th, 2023, Emotet spambot activity was geographically dispersed across over 16 countries, as illustrated in the figure.
Technical Details
The typical method of distributing Emotet involves sending spam emails containing a ZIP file attachment, as shown in the image below.
As illustrated in the figure below, the spam email contains a ZIP attachment that includes a DOC file. It uses the ZIP bombing technique to compress an extremely large DOC file into a very small archive file. The size of the Word documents exceeds 500 MB and includes unused data, making it more difficult for antivirus software to identify them as malicious.
When opening the malicious DOC file, it further executes a macro code, which is responsible for downloading the Emotet payload from the remote server. In order to prevent the execution of macros, Microsoft Office typically opens Word documents in protected view. However, the Threat Actors (TAs) responsible for Emotet employ various social engineering tactics to convince users to enable macro content.
The latest campaign features a new template that provides instructions on how to bypass Microsoft’s Protected View. Specifically, users are instructed to press the “ENABLE EDITING” or “ENABLE CONTENT” button to preview the document. By doing so, the malicious macro code hidden within the document is executed, and the Emotet malware is downloaded from the remote server.
In this Emotet campaign, the Malicious DOC file uses a RED template, as depicted in the figure below.
When a user enables the macro content, it downloads the Emotet DLL file from any one of the URLs mentioned below and then saves the DLL file into the %LOCALAPPDATA% directory.
- hxxps[:]//radiomarket[.]shop/catalog_def/6DZvRQnbYvOhjQfMnU/
- hxxps[:]//diagnostic[.]net/news/5P/
- hxxps[:]//moiki[.]online/speedsale/XJdpbjT/
- hxxps[:]//besthome[.]kz/docs/xtbWXvPtI0qQM/
- hxxp[:]//ly[.]bi3x[.]org/magazini/pWKy5V5/
- hxxps[:]//ns1[.]koleso[.]tc/b512c9bf0b/RnLGmaMVRRbyeY3nZb/
The figure below depicts the obfuscated VBA macro code that generates URLs to download the Emotet payload onto the victim’s machine.
To avoid being detected, Emotet malware’s DLL file is customized to be larger than 500 MB, similar to a Word document, thus making detection by antivirus software as a malicious file difficult due to size limitation.
The figure below shows the downloaded Emotet DLL file and its size.
The Emotet DLL file is then launched using “regsvr32.exe”, as shown below.
After execution, the Emotet malware operates discreetly in the background and establishes a connection with the Command and Control (C&C) server to receive further instructions or install additional payloads.
Since March 7th, Cyble Research and Intelligence Labs (CRIL) has been actively monitoring the Emotet malware campaign, which was disseminated via spam emails. As a result of this monitoring, the following information has been identified regarding the most recent spam campaign.
The following image depicts the most frequently utilized filenames employed by the Emotet spam campaign.
The following image illustrates the most commonly employed subject names utilized by the Emotet spam campaign.
Conclusion
Emotet has been recognized as one of the most advanced and profitable malware types affecting users worldwide in recent years. Its capability to download and install other malware on compromised machines has made it a significant threat to both individuals and organizations.
Despite no major alterations being made to the malware or its distribution methods in the latest Emotet campaign, the malware now incorporates unused data to expand the file size, thus evading detection by antivirus software.
Cyble Research and Intelligence Labs (CRIL) is keeping a close eye on the Emotet malware campaign’s activity and will update our readers as the campaign is expected to employ new tactics, techniques, and procedures to distribute malware after its return, typically following a break of a few months.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices as mentioned below:
Safety Measures Needed to Prevent Attacks From Similar Threats And Reduce The Impact
- Don’t keep important files in common locations such as the Desktop, My Documents, etc.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- ​Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- ​Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- ​Refrain from opening untrusted links and email attachments without verifying their authenticity.
- ​Conduct regular backup practices and keep those backups offline or in a separate network.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1566 | Spearphishing Attachment |
| Execution | T1204Â T1059 T1218 | User Execution Command and Scripting Interpreter Regsvr32 |
| Defense Evasion | T1140 T1564 T1112 | Deobfuscate/Decode Files or Information Hidden Window Modify Registry |
| Persistence | T1547 | Registry Run Keys / Startup Folder |
| Discovery   | T1082 T1083 T1007 | System Information Discovery File and Directory Discovery System Service Discovery   |
| Command and Control   | T1071 T1105 | Application Layer Protocol   Ingress Tool Transfer |
Indicators Of Compromise
| Indicators | Indicator type | Description | |||
| 4055657f97d677b111c44e82b6c556e9 6f8b5fb2d233e38a6aa45a28b1d52b230c05e2e6 781b9f3a5b0de8d4bd4a24e786dc8000da0456755bc4630ecd6713f6cba0afa3 | MD5 SHA1 SHA256 | Spam | |||
| 5ae521305e606ded32760eb1c91b3fc5 53985f885c81b604de7fc72123773ceac7c45858 0f74ce5594cbf792809ab9f6117b84d35ffd7cd1b920f7bd9d496c2d18867d16 | MD5 SHA1 SHA256 | ZIP attachment | |||
| 275353a6dc348d9dc9336bbf718a8b1d 5b8b9e95b9d6e97261526a86ba780bd58b536314 87942501af3e7ac7e2c2957b53081c26a38cf53bd81f981a051e337309a2be78 | MD5 SHA1 SHA256 | Doc file | |||
| 9670183093adf077076afc2cbfdbe34f 2d77cd7a0fe869a62963de4c03ad4d3f35ae419f bab835d2c283cee2b1afd044126ca34bba9d86c3b483883536f9910490aa1c26 | MD5 SHA1 SHA256 | Emotet DLL | |||
| hxxps[:]//ns1[.]koleso[.]tc/b512c9bf0b/RnLGmaMVRRbyeY3nZb/ hxxps[:]//radiomarket[.]shop/catalog_def/6DZvRQnbYvOhjQfMnU/ hxxps[:]//diagnostic[.]net/news/5P/ hxxps[:]//moiki[.]online/speedsale/XJdpbjT/ hxxps[:]//besthome[.]kz/docs/xtbWXvPtI0qQM/ hxxp[:]//ly[.]bi3x[.]org/magazini/pWKy5V5/ | URLs | Â Emotet download URLs | |||
