Emotet tests new attack techniques: Sign of things to come?

Notorious threat group Emotet has been detected testing new and significantly different attack techniques potentially in preparation for larger campaigns or selective and limited attacks, according to research from cybersecurity vendor Proofpoint. The firm stated the activity occurred while the prolific botnet and Trojan threat actor was on a period of hiatus and not conducting its typical high-volume campaigns.

New Emotet attack activity a departure from typical behaviors

Emotet targets Windows platforms to distribute follow-on malware and was considered one of the most prolific cybercriminal threats before its disruption by global law enforcement in January 2021. After a 10-month disappearance from the threat landscape, the group re-emerged in November 2021 and has since targeted thousands of users in multiple geographic regions. In some cases, the volume of malicious messages used in individual campaigns has reached over one million, Proofpoint stated. However, activity detected between April 4 and April 19, 2022, signifies a significant departure from Emotet’s typical attack behaviors, and is attributed to threat actor TA542.

Proofpoint detected a low volume of emails distributing Emotet and the sender emails appeared to be compromised. The emails were not sent by the Emotet spam module. “The email bodies contained only OneDrive URLs and no other content. The OneDrive URLs hosted zip files containing Microsoft Excel Add-in (XLL) files. The zip archives and XLL files used the same lures as the email subjects, such as “Salary_new.zip.” This particular archive contained four copies of the same XLL file with names such as “Salary_and_bonuses-04.01.2022.xll”. The XLL files, when executed, drop and run Emotet leveraging the Epoch 4 botnet.”

Several differences detected in Emotet’s attack TTPs

Proofpoint stated that the activity differs from previously observed Emotet campaigns in the following ways:

• The low-volume nature of the activity. Typically, Emotet distributes high-volume email campaigns to many customers globally, with some campaigns in recent weeks hitting one million messages total.
• The use of OneDrive URLs. Typically, Emotet delivers Microsoft Office attachments or URLs (hosted on compromised sites) linking to Office files.
• The use of XLL files. Typically, Emotet uses Microsoft Excel or Word documents containing VBA or XL4 macros. XLLs are a type of dynamic link library (DLL) file for Excel and are designed to increase the functionality of the application.

“Proofpoint analysts attribute this activity with high confidence to threat actor TA542 because since 2014 the actor closely controlled the Emotet malware and has not rented it to other actors,” the vendor added.

Businesses should implement defenses as Emotet adapts attack methods

Commenting on the findings, Proofpoint vice president, Threat Research and Detection, Sherrod DeGrippo said, “After months of consistent activity, Emotet is switching things up. It is likely the threat actor is testing new behaviors on a small scale before delivering them to victims more broadly, or to distribute via new TTPs alongside its existing high-volume campaigns. Organizations should be aware of the new techniques and ensure they are implementing defenses accordingly.”

Proofpoint also noted TA542’s interest in new techniques that do not rely on macro-enabled documents with Microsoft making it increasingly difficult for threat actors to use macros as an infection vector. In February, Microsoft announced it would begin blocking Visual Basic for Application (VBA) macros obtained from the internet by default in April.