After a while gone, the Emotet botnet has returned after a month-long hiatus and has some new tricks. They now appear to be from a known contact, address the recipient by name, and appear to be replying to an existing email thread.
Emotet is one of the main dangers on the Internet, so it never hurts to refresh your memory with the new tricks you learn and try not to fall into its clutches.
New tricks for Emotet
Emotet uses a number of tricks to try to avoid detection and analysis. Emotet is polymorphic , which means that it can change itself each time it is downloaded and avoid signature-based detection.
Each time Emotet has returned in previous hiatuses, it has brought new techniques designed to evade security products and trick users into clicking links or enabling dangerous code in Microsoft Office document attachments. The resumption of activity last week followed this pattern.
Last week, a wave of malicious spam messages was detected that appear to come from a known contact, address the recipient by name, and appear to be replying to an existing email thread. In this way, they add credibility to the malicious email and increase the chances that someone will bite.
For example, one of the Word documents contained a large amount of extraneous data appended to the end, causing it to exceed 500 MB in size, which is unusual for a text file, but evades detection and could be scanned by some security products. the content. This technique, known as binary padding or file pumping , works by adding zeros to the end of the document.
When opened, Word documents present a graphic saying that the content cannot be accessed unless the user clicks the “enable content” button. Clicking the “enable content” button undoes that default and allows the macro to run. The macro causes Office to download a .zip file from a legitimate website that has been hacked. Office will then unzip the compressed file and run the Emotet DLL that infects the device.
Emotet Background
Emotet is a Trojan that is mainly spread via spam emails (malspam) . The infection can get there via malicious scripts, macro-enabled document files, or malicious links.
Emails from Emotet may contain images from well-known brands designed to look like legitimate email. Emotet may try to persuade users to click on the malicious files by using enticing language about “Your invoice”, “Payment information” or possibly an upcoming shipment from well-known courier companies.
Emotet has gone through some iterations. Early versions arrived as a malicious JavaScript file. Later versions evolved to use macro-enabled documents to recover the virus payload from command and control (C&C) servers run by the attackers. Now we have new tricks and surely they will not be the last.