IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Brand-new Emotet campaign socially engineers its way from detection

This latest resurgence follows a three-month hiatus and tricks users into re-enabling dangerous VBA macros

The Emotet botnet has returned for a fresh campaign deploying various tactics such as binary padding and social engineering to evade security defences.

Organisations have been warned to remain vigilant amidst a fresh wave of Emotet spam activity that has surged since the start of the year, following a three-month period of low activity.  

The acceleration in attacks has been driven by the resurgence of the ‘Epoch 4’ botnet, which has been used to deliver malicious documents attached to seemingly legitimate emails.

This latest iteration of Emotet was found to mimic replies in existing email chains and threads, duping users into believing the malicious content was from a previous conversation.  

“These types of emails are often paired with social engineering techniques that are designed to get recipients to click on a link or download an attachment containing malware,” Trend Micro said in a blog post

New Emotet campaign: How does it work?

Malicious emails in this latest Emotet campaign were found to contain a .zip attachment. Once opened, this delivers a Word document that dupes the user into enabling a malicious macro, researchers said.

Although Microsoft disabled VBA macros in Windows by default in 2022, Emotet's malicious documents "deploy social engineering techniques to trick users into enabling macros to allow the attack to proceed as intended".

Finally, once enabled this macro downloads a malicious payload (DLL) to infect the device.  

A key concern in this campaign is that this iteration of Emotet uses large file sizes to bypass security scans and endpoint protection processes. Each malicious email includes a 600kb zip file which contains a Word document of over 500mb, researchers said.

Binary padding isn't an uncommon method of malware obfuscation. It attempts to exploit the file size limitations in security products by inflating the malicious payloads' file sizes - a method which can trick scanning tools into bypassing the file altogether.

“Malicious actors use zip compression to transport the relatively small files via email and HTTP, before decompression is used to inflate the files to evade security solutions. Finally, reconnaissance activities are performed either via IP configs or through the affected machine’s system information,” researchers said.

Emotet remains resilient and dangerous

Trend Micro researchers said the Emotet resurgence shows that it remains a “prolific and resilient” threat for organisations globally.  

The botnet has survived previous takedowns led by law enforcement, including a notable disruption of its infrastructure in 2021.

Related Resource

An in-depth analysis of the Microsoft 365 threat landscape

Cyber security report 2023

Dark whitepaper cover with title shown within a blue shield graphic with ring circling it, and logo at bottomFree Download

In this instance, a joint operation between Europol and international law enforcement agencies from the UK, US, and France seized control of several hundred servers. The takedown granted a reprieve for hundreds of victims infected with malware.  

While this appeared to put a major dent in the operation, within a year researchers observed another resurgence of the botnet, revealing that its infrastructure had “almost doubled” in the space of a few months.  

Research from Proofpoint in November 2022 found that after another hiatus period, Emotet was responsible for hundreds of thousands of daily attacks, once again securing its place as a “primary facilitator” of malware delivery.  

Trend Micro suggested that organisations will continue to face growing threats from Emotet in the coming months, noting that “it would not be surprising to see it evolve further in future attacks” by employing alternative malware delivery methods.  

Threat actors are also expected to adopt new evasion techniques and integrate “additional second and even third-stage payloads into its routine”.  

Featured Resources

IT best practices for accelerating the journey to carbon neutrality

Considerations and pragmatic solutions for IT executives driving sustainable IT

Free Download

The Total Economic Impact™ of IBM Spectrum Virtualize

Cost savings and business benefits enabled by storage built with IBMSpectrum Virtualize

Free download

Using application migration and modernisation to supercharge business agility and resiliency

Modernisation can propel your digital transformation to the next generation

Free Download

The strategic CFO

Why finance transformation propels business value

Free Download

Most Popular

HMRC lost nearly 50% more devices in 2022

HMRC lost nearly 50% more devices in 2022

17 Mar 2023
The big PSTN switch off: What’s happening between now and 2025?

The big PSTN switch off: What’s happening between now and 2025?

13 Mar 2023
Outlook zero day patch causes headaches for Windows admins

Outlook zero day patch causes headaches for Windows admins

15 Mar 2023