Emotet-Spam-Campaigns

Emotet Strikes Again, Resuming Spamming Operations

Notorious Botnet Uses Zip Bombing Techniques to Evade Detection

Emotet is a well-known Banking Trojan that is commonly distributed through spam emails containing malicious attachments. After opening the email attachments, the malware is downloaded and loaded into the device’s memory, where it eventually receives commands from a remote Command and Control (C&C) server. It also steals the victim’s emails, and contacts, which are used for future emote spam campaigns, and can also download other payloads like Cobalt Strike, frequently leading to ransomware attacks.

Emotet was once the most widespread malware, but it has been gradually losing momentum, and its previous spam campaign in November 2022 lasted only two weeks. Nonetheless, after three months of inactivity, the Emotet botnet has returned to sending malicious emails and infecting devices worldwide by rebuilding its network. On March 7th, at 8:00 am EST, the botnet resumed sending malicious emails and was infecting users worldwide.

A tweet by the security researcher Cryptolaemus on March 7th indicated that Emotet had resurfaced and was using Epoch4 servers to distribute spam emails containing malicious document attachments that exceeded 500MB in size. Based on our intelligence observed between March 7th and March 9th, 2023, Emotet spambot activity was geographically dispersed across over 16 countries, as illustrated in the figure.

Figure 1 – Geographical distribution of the latest Emotet campaign

Technical Details

The typical method of distributing Emotet involves sending spam emails containing a ZIP file attachment, as shown in the image below.

Figure 2 – Spam Email

As illustrated in the figure below, the spam email contains a ZIP attachment that includes a DOC file. It uses the ZIP bombing technique to compress an extremely large DOC file into a very small archive file. The size of the Word documents exceeds 500 MB and includes unused data, making it more difficult for antivirus software to identify them as malicious.

Figure 3 – Document file inside Zip attachment of Spam email

When opening the malicious DOC file, it further executes a macro code, which is responsible for downloading the Emotet payload from the remote server. In order to prevent the execution of macros, Microsoft Office typically opens Word documents in protected view. However, the Threat Actors (TAs) responsible for Emotet employ various social engineering tactics to convince users to enable macro content.

The latest campaign features a new template that provides instructions on how to bypass Microsoft’s Protected View. Specifically, users are instructed to press the “ENABLE EDITING” or “ENABLE CONTENT” button to preview the document. By doing so, the malicious macro code hidden within the document is executed, and the Emotet malware is downloaded from the remote server.

In this Emotet campaign, the Malicious DOC file uses a RED template, as depicted in the figure below.

Figure 4 – MS Office template used in the Emotet campaign

When a user enables the macro content, it downloads the Emotet DLL file from any one of the URLs mentioned below and then saves the DLL file into the %LOCALAPPDATA% directory.

  • hxxps[:]//radiomarket[.]shop/catalog_def/6DZvRQnbYvOhjQfMnU/
  • hxxps[:]//diagnostic[.]net/news/5P/
  • hxxps[:]//moiki[.]online/speedsale/XJdpbjT/
  • hxxps[:]//besthome[.]kz/docs/xtbWXvPtI0qQM/
  • hxxp[:]//ly[.]bi3x[.]org/magazini/pWKy5V5/
  • hxxps[:]//ns1[.]koleso[.]tc/b512c9bf0b/RnLGmaMVRRbyeY3nZb/

The figure below depicts the obfuscated VBA macro code that generates URLs to download the Emotet payload onto the victim’s machine.

Figure 5 – VBA macro code to generate URLs

To avoid being detected, Emotet malware’s DLL file is customized to be larger than 500 MB, similar to a Word document, thus making detection by antivirus software as a malicious file difficult due to size limitation.

The figure below shows the downloaded Emotet DLL file and its size.

Figure 6 – Downloaded Emotet DLL

The Emotet DLL file is then launched using “regsvr32.exe”, as shown below.

Figure 7 – Emotet process tree

After execution, the Emotet malware operates discreetly in the background and establishes a connection with the Command and Control (C&C) server to receive further instructions or install additional payloads.

Since March 7th, Cyble Research and Intelligence Labs (CRIL) has been actively monitoring the Emotet malware campaign, which was disseminated via spam emails. As a result of this monitoring, the following information has been identified regarding the most recent spam campaign.

The following image depicts the most frequently utilized filenames employed by the Emotet spam campaign.

Figure 8 – Top filenames used by the Emotet spam campaign

The following image illustrates the most commonly employed subject names utilized by the Emotet spam campaign.

Figure 9 – Top mail subject names used by Emotet spam campaign

Conclusion

Emotet has been recognized as one of the most advanced and profitable malware types affecting users worldwide in recent years. Its capability to download and install other malware on compromised machines has made it a significant threat to both individuals and organizations.

Despite no major alterations being made to the malware or its distribution methods in the latest Emotet campaign, the malware now incorporates unused data to expand the file size, thus evading detection by antivirus software.

Cyble Research and Intelligence Labs (CRIL) is keeping a close eye on the Emotet malware campaign’s activity and will update our readers as the campaign is expected to employ new tactics, techniques, and procedures to distribute malware after its return, typically following a break of a few months.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices as mentioned below: 

Safety Measures Needed to Prevent Attacks From Similar Threats And Reduce The Impact

  • Don’t keep important files in common locations such as the Desktop, My Documents, etc.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • ​Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
  • ​Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.   
  • ​Refrain from opening untrusted links and email attachments without verifying their authenticity.
  • ​Conduct regular backup practices and keep those backups offline or in a separate network.

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name 
Initial Access T1566Spearphishing Attachment
Execution T1204 
T1059
T1218
User Execution
Command and Scripting Interpreter
Regsvr32
Defense Evasion T1140
T1564
T1112
Deobfuscate/Decode Files or Information
Hidden Window
Modify Registry
PersistenceT1547Registry Run Keys / Startup Folder
Discovery   T1082
T1083
T1007
System Information Discovery
File and Directory Discovery
System Service Discovery   
Command and
Control   
T1071
T1105
Application Layer Protocol   
Ingress Tool Transfer

 

Indicators Of Compromise

Indicators Indicator type Description 
4055657f97d677b111c44e82b6c556e9
6f8b5fb2d233e38a6aa45a28b1d52b230c05e2e6
781b9f3a5b0de8d4bd4a24e786dc8000da0456755bc4630ecd6713f6cba0afa3
MD5
SHA1
SHA256
Spam
email
5ae521305e606ded32760eb1c91b3fc5
53985f885c81b604de7fc72123773ceac7c45858
0f74ce5594cbf792809ab9f6117b84d35ffd7cd1b920f7bd9d496c2d18867d16
MD5
SHA1
SHA256
ZIP attachment
275353a6dc348d9dc9336bbf718a8b1d
5b8b9e95b9d6e97261526a86ba780bd58b536314
87942501af3e7ac7e2c2957b53081c26a38cf53bd81f981a051e337309a2be78
MD5
SHA1
SHA256
Doc file
9670183093adf077076afc2cbfdbe34f
2d77cd7a0fe869a62963de4c03ad4d3f35ae419f
bab835d2c283cee2b1afd044126ca34bba9d86c3b483883536f9910490aa1c26
MD5
SHA1
SHA256
Emotet DLL
hxxps[:]//ns1[.]koleso[.]tc/b512c9bf0b/RnLGmaMVRRbyeY3nZb/
hxxps[:]//radiomarket[.]shop/catalog_def/6DZvRQnbYvOhjQfMnU/
hxxps[:]//diagnostic[.]net/news/5P/
hxxps[:]//moiki[.]online/speedsale/XJdpbjT/
hxxps[:]//besthome[.]kz/docs/xtbWXvPtI0qQM/
hxxp[:]//ly[.]bi3x[.]org/magazini/pWKy5V5/
URLs Emotet
download
URLs

Recent Blogs

Cyble-Blogs-MOVEit-Transfer

Cyble analyzes MOVEit Transfer vulnerability and observes active exploitation in the Cyble Global Intelligence Sensors (CGSI).

Read More »
NoEscape RaaS

CRIL analyzes the newly advertised ‘NoEscape’ Ransomware-as-a-Service (RaaS) program that claims to facilitate sophisticated extortion operations using an advanced, indigenously developed ransomware strain.

Read More »
SharpPanda APT G20 Blog

Cyble analyzes SharpPanda, a highly sophisticated APT group utilizing spear-phishing tactics to launch cyberattacks on G20 Nation officials.

Read More »
Scroll to Top