Emotet Storms Back

A flurry of email samples have been discovered with Emotet malware since its return from a four-month hiatus. Starting at the beginning of November 2022, Proofpoint researchers have noticed a significant rise in emails laced with Emotet. On a daily basis, the total volume of emails containing Emotet ranges between hundreds to thousands. Proofpoint tracked the threat actor distributing Emotet malware as TA542. Many aspects of the Emotet infection are the same however, some changes in tactics include updates to Emotet's binary, the deployment of malware loaders IcedID, and Bumblebee. Emails containing Emotet use hijacked email threads or invoice-themed lures to entice victims into opening an attached Excel file or a zip file housing the Excel file. A macro-laced document is still the detonation method of choice, however, to bypass Microsoft's Mark-of-the-Web (MoTW) security controls, a second layer of social engineering requires the victim to move the Excel into a trusted system location such as the Templates folder which requires administrator-level permissions to move into. Once these hurdles are met, opening the Excel document causes the malware to execute and download a variant of the IcedID loader. Typically, a loader would initiate system checks to identify system and network specifications, however, in the observed infection chain, the threat actor has opted to forgo this step. "Proofpoint researchers believe this is because the loader is being delivered to already infected machines and therefore there is no need to do a check on the system profile." IcedID would then download any additional malware payloads needed for the attacker's objectives which may result in ransomware.