Emotet Malware Returns After Three-Month Hiatus

The notorious Emotet campaign has resumed after a three-month lull, with malicious emails being sent to people across the globe. Emotet is a widely-known malware distributed through email. It is deployed onto the target computer through malicious attachments in Microsoft Word and Excel. Once users open these attachments and enable macros, the Emotet DLL is loaded into memory, lying in wait for instructions from a remote C2 server.

The malicious software then begins to collect email addresses and contacts of its victims for future Emotet campaigns. It also loads additional useful payloads, such as Cobalt Strike, and other malware. Although Emotet was once considered one of the most common harmful programs, its campaign gradually slowed down. The last spam operation was observed in November 2022.

However, Cofense cybersecurity company and Cryptolaemus have warned that the Emotet botnet has resumed sending emails again as of March 7. The current campaign uses emails allegedly containing tax accounting documents. The ZIP archives attached to these emails weigh 500 megabytes or more, with bloated Word documents that have an artificially-increased file size to make it more challenging for antivirus solutions to scan them. The documents use the Emotet “Red Dawn” template, which asks users to turn on the contents of the file so that they can “be correctly displayed”.

These fraudulent documents contain various macros that load the Emotet bootloader in the form of a DLL from malicious sites, many of which are hacked WordPress blogs. Following its deployment, Emotet remains in a folder with a random name in the Localppdata % folder and uses REGSVR32.exe. Once the malicious software launches, it works in the background, waiting for commands to install additional useful loads on the computer. These attacks usually result in data theft and full-scale attacks by ransomware programs.

Cofense experts have reported that so far, they have not yet seen any additional useful loads deployed in this campaign. The malware simply collects data for future spam campaigns. To avoid falling victim to these scammers, it is best to avoid opening Office files and other documents of dubious origin.

By doing so, you can protect your data, time, and nerves by preventing attackers from executing their plan.

/Reports, release notes, official announcements.