Notorious Botnet Uses Zip Bombing Techniques to Evade Detection
Emotet is a well-known Banking Trojan that is commonly distributed through spam emails containing malicious attachments. After opening the email attachments, the malware is downloaded and loaded into the device’s memory, where it eventually receives commands from a remote Command and Control (C&C) server. It also steals the victim’s emails, and contacts, which are used for future emote spam campaigns, and can also download other payloads like Cobalt Strike, frequently leading to ransomware attacks.
Emotet was once the most widespread malware, but it has been gradually losing momentum, and its previous spam campaign in November 2022 lasted only two weeks. Nonetheless, after three months of inactivity, the Emotet botnet has returned to sending malicious emails and infecting devices worldwide by rebuilding its network. On March 7th, at 8:00 am EST, the botnet resumed sending malicious emails and was infecting users worldwide.
A tweet by the security researcher Cryptolaemus on March 7th indicated that Emotet had resurfaced and was using Epoch4 servers to distribute spam emails containing malicious document attachments that exceeded 500MB in size. Based on our intelligence observed between March 7th and March 9th, 2023, Emotet spambot activity was geographically dispersed across over 16 countries, as illustrated in the figure.
The typical method of distributing Emotet involves sending spam emails containing a ZIP file attachment, as shown in the image below.
As illustrated in the figure below, the spam email contains a ZIP attachment that includes a DOC file. It uses the ZIP bombing technique to compress an extremely large DOC file into a very small archive file. The size of the Word documents exceeds 500 MB and includes unused data, making it more difficult for antivirus software to identify them as malicious.
When opening the malicious DOC file, it further executes a macro code, which is responsible for downloading the Emotet payload from the remote server. In order to prevent the execution of macros, Microsoft Office typically opens Word documents in protected view. However, the Threat Actors (TAs) responsible for Emotet employ various social engineering tactics to convince users to enable macro content.
The latest campaign features a new template that provides instructions on how to bypass Microsoft’s Protected View. Specifically, users are instructed to press the “ENABLE EDITING” or “ENABLE CONTENT” button to preview the document. By doing so, the malicious macro code hidden within the document is executed, and the Emotet malware is downloaded from the remote server.
In this Emotet campaign, the Malicious DOC file uses a RED template, as depicted in the figure below.
When a user enables the macro content, it downloads the Emotet DLL file from any one of the URLs mentioned below and then saves the DLL file into the %LOCALAPPDATA% directory.
The figure below depicts the obfuscated VBA macro code that generates URLs to download the Emotet payload onto the victim’s machine.
To avoid being detected, Emotet malware’s DLL file is customized to be larger than 500 MB, similar to a Word document, thus making detection by antivirus software as a malicious file difficult due to size limitation.
The figure below shows the downloaded Emotet DLL file and its size.
The Emotet DLL file is then launched using “regsvr32.exe”, as shown below.
After execution, the Emotet malware operates discreetly in the background and establishes a connection with the Command and Control (C&C) server to receive further instructions or install additional payloads.
Since March 7th, Cyble Research and Intelligence Labs (CRIL) has been actively monitoring the Emotet malware campaign, which was disseminated via spam emails. As a result of this monitoring, the following information has been identified regarding the most recent spam campaign.
The following image depicts the most frequently utilized filenames employed by the Emotet spam campaign.
The following image illustrates the most commonly employed subject names utilized by the Emotet spam campaign.
Emotet has been recognized as one of the most advanced and profitable malware types affecting users worldwide in recent years. Its capability to download and install other malware on compromised machines has made it a significant threat to both individuals and organizations.
Despite no major alterations being made to the malware or its distribution methods in the latest Emotet campaign, the malware now incorporates unused data to expand the file size, thus evading detection by antivirus software.
Cyble Research and Intelligence Labs (CRIL) is keeping a close eye on the Emotet malware campaign’s activity and will update our readers as the campaign is expected to employ new tactics, techniques, and procedures to distribute malware after its return, typically following a break of a few months.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices as mentioned below:
Safety Measures Needed to Prevent Attacks From Similar Threats And Reduce The Impact
- Don’t keep important files in common locations such as the Desktop, My Documents, etc.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
- Conduct regular backup practices and keep those backups offline or in a separate network.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Initial Access||T1566||Spearphishing Attachment|
Command and Scripting Interpreter
|Defense Evasion||T1140 |
|Deobfuscate/Decode Files or Information |
|Persistence||T1547||Registry Run Keys / Startup Folder|
|System Information Discovery |
File and Directory Discovery
System Service Discovery
|Application Layer Protocol |
Ingress Tool Transfer
Indicators Of Compromise