The Emotet botnet malware is once again wreaking havoc on the digital world, following a three-month hiatus. The malware is spreading worldwide through emails that carry malicious ZIP attachments, posing a significant threat to individuals and organizations alike.
Emotet first emerged as a banking Trojan in 2014 but evolved into a malware distributor in 2017. It is considered responsible for several high-profile attacks and has continued to evolve over the years. In 2019, Emotet added the EternalBlue exploit, allowing it to spread rapidly on networks. However, a coordinated international law enforcement operation in January 2021 severely disrupted its operation.
Despite the setback, Emotet returned in November 2021 through another malware spreader botnet, Trickbot, and has gone through various phases of dormancy and activity, experimenting with various infection chains and multiple payloads. The current campaign, as reported by Cofense, uses emails that masquerade as invoices and contain Word documents of an inflated 500MB size to evade detection by antivirus solutions that typically skip scanning such large files.
The documents load malicious macros on the victim’s Microsoft Office software, allowing the Emotet loader to be downloaded from compromised sites with a good reputation and more likely to evade AV detection. The final payload, reported by security researcher Cryptoleamus, is saved to a randomly named folder and launched with regsvr32.exe, with an inflated size of 526MB to evade detection.
Once Emotet is loaded on the breached device, it will run in the background and await commands from its Command and Control (C2) server. Analysts have discovered several new C2 IP addresses supporting the latest spamming wave. Emotet can also fetch, decrypt, and load additional payloads on compromised systems, including ransomware.
In recent news, Europol announced a successful operation that resulted in the tracking down of two core members of the DoppelPaymer ransomware gang in Germany and Ukraine. Although DoppelPaymer is no longer active, its operation between 2019 and 2021 caused multi-million-dollar damages. Europol reports that U.S.-based victims paid at least $42,000,000 in ransoms to the gang, not including the costs sustained from business disruption, reputation damage, legal coverage, etc. The report also revealed that many of these catastrophic DoppelPaymer attacks were enabled by Emotet, which introduced the data-encrypting payload after breaching valuable networks.
To protect against Emotet, it is essential to remain vigilant and avoid downloading attachments from unsolicited messages sent by unknown contacts. Frequent email security training can also play a crucial role in helping organizations deal with threats like Emotet.
Microsoft now blocks the execution of VBA scripts and macro code hiding inside malicious documents by default on Office. However, if you are working in an environment that requires keeping that feature active, it is recommended to avoid opening document files outside a sandboxed environment. Network administrators should also block all IP addresses known to be part of the Emotet infrastructure or associated with its distribution, including those shared by Max Malyutin on Twitter.
In the event of a device becoming infected with Emotet or any other Trojan malware, it is crucial to seek assistance from a reputable and professional ransomware removal and recovery company like Monster Cloud. With a team of highly skilled security experts, Monster Cloud provides a comprehensive solution to ransomware problems, guaranteeing the complete removal of the threat and the recovery of critical data. By relying on Monster Cloud, individuals and organizations can regain control of their infected devices and safeguard against future attacks.