Emotet is Back From ‘Spring Break’ With New Nasty Tricks

After Microsoft disabled VBA macros by default, the Botnet seems to have a new method of compromising Windows systems.

After a 10-month “spring break,” Emotet malware attacks have returned. Criminals behind the attack are now rested, tanned, and ready to launch a new campaign strategy. This new strategy includes targeted phishing attacks different from the previous spray–and–pay campaigns, according to new research.

According to a Tuesday report, Proofpoint analysts have linked this activity with the threat actor known to be TA542, who has since 2014 used the Emotet malware to great success.

Emotet was once called the ” most dangerous malware in the world.” It is now being used in its latest campaign to deliver ransomware. Law enforcement has been following the trail of those responsible for distributing the malware for many years. Authorities in Canada, France and Germany worked together in January 2021 to eliminate a network of botnet servers supporting Emotet as part of Operation LadyBird.

Researchers discovered the latest activity while Emotet was away on “spring break.” These efforts were low-key and likely an attempt at testing new tactics without drawing attention. Researchers now believe that TA542 has increased its attacks on high-volume threat campaigns. Proofpoint stated that the threat actor had resumed normal activity.

AdvIntel and Crypolaemus confirmed Proofpoint’s observation, observing that the Emotet returned after a 10-months break. These researchers claim that the malware attackers have sent millions upon millions of phishing emails designed to infect devices with malware. Botnets can also be used to control them.

The New Phase of Emotet

Proofpoint researchers stated in their report that this testing of phishing emails might be due to Microsoft’s actions to disable specific macros associated with Office apps in February 2022. Microsoft noted that it was changing the defaults for five Office apps that run macros at the time. This prevents attackers from executing malware on victims’ systems by targeting documents using automation services.

Proofpoint cybersecurity researchers claim that the recent campaigns used new techniques to test their potential in larger campaigns.

These new campaigns send spam-phishing emails using compromised email addresses with a single-word headline. Proofpoint cybersecurity researchers discovered that common terms used in phishing attacks include “salary.” This is used to encourage users to click out of curiosity.

OneDrive URL is included in the message body. This URL hosts Zip files containing Microsoft Excel Addin (XLL), files that have a similar name as the email subject.

Emotet can infect your computer with malware if these XLL files have been opened and executed. It can also steal information and create a backdoor to allow other malware deployed on the Windows system.

Proofpoint cybersecurity researchers claim this campaign is different from others because of the OneDrive URLs and the XLL. Emotet tried to spread itself earlier via Microsoft Office attachments and phishing URLs. These malicious payloads contained Word and Excel documents that contained Visual Basics for Applications (VBA), scripts, or macros.

Researchers said that the attacks linked to this new campaign occurred between April 4, 2022 (and April 19, 2022), when other Emotet campaigns were stopped.

Emotet is changing things after months of constant activity. “It is possible that the threat actor is trying out new behaviors on a smaller scale before delivering them more widely to victims or via new TTPs (“Tactics Techniques and Procedures”),” stated Sherrod deGrippo, Vice President of Threat Research and Detection at Proofpoint.

She said, “Organizations need to be aware of new techniques and implement defenses accordingly.”

“Train users how to identify and report spam email. DeGrippo explained that regular training and simulated attacks could help stop many attacks and remember those particularly vulnerable.

also developed malware. This prevented potential victims from being compromised by clicking on malicious email attachments.