Cybersecurity researchers discovered that the infamous Emotet malware has altered methods yet again. In its latest campaign, the malware is able to access and use spreadsheets, documents, and other Microsoft programs, evading entry security.
Emotet was identified in 2014 as a banking trojan, and it has been quite active in recent years. In this campaign, the botnet authors are using a relatively new module that steals payment card information from Google Chrome.
According to Deep Instinct researchers, the current version of Emotet has led to a nine-fold surge in the use of Microsoft Excel macros compared with what researchers detected in the fourth quarter of 2021. The hackers that utilized this trojan were among the first to offer malware-as-a-service (MaaS).
The latest malware still uses many of the same attack vectors as it had in the past, but this new technique is seen as being more effective in collecting and using stolen credentials.
In a blog post on the re-emergence of Emotet, Chuck Everette, director of cybersecurity advocacy for Deep Instinct, which has been following the malware since the fourth quarter of last year, noted that the current malware variant uses many of the same “evasion methods” as previous versions.
The malware has targeted customers in Japan, as well as the United States and Italy since this spring. The researchers detected the Emotet's re-emergence last November, and they noted that this evolved malware was even able to get past email gateway security.
Additionally, the banking trojan is employing 64-bit shell code, as well as more advanced PowerShell and active scripts, “with nearly a fifth of all malicious samples exploiting the 2017 Microsoft vulnerability CVE-2017-11882,” according to reports.
"We use internal code and binary similarity algorithms on our cloud backend to associate and correlate new variants of a select set of campaigns which we monitor very closely, Emotet being one of them," he explained.
In particular, multiple static evasion methods are very characteristic of Emotet, and upticks in those in new variant waves are very indicative of malware activity.
“The Emotet Gang are professionals. They know how to run a successful phishing campaign and have now upped their game with new sophisticated attack techniques,” Everette explained on his company’s blog on the re-emergence of Emotet. However, the primary delivery method is still phishing emails, and the human factor is the weakness. If you make yourself more difficult to attack than another company, they will go after the easier target. Make sure you're the harder target to penetrate. Educate your employees."
