Brand-new Emotet campaign socially engineers its way from detection

The Emotet botnet has returned for a fresh campaign deploying various tactics such as binary padding and social engineering to evade security defences.

Organisations have been warned to remain vigilant amidst a fresh wave of Emotet spam activity that has surged since the start of the year, following a three-month period of low activity.

The acceleration in attacks has been driven by the resurgence of the ‘Epoch 4’ botnet, which has been used to deliver malicious documents attached to seemingly legitimate emails.

This latest iteration of Emotet was found to mimic replies in existing email chains and threads, duping users into believing the malicious content was from a previous conversation.

“These types of emails are often paired with social engineering techniques that are designed to get recipients to click on a link or download an attachment containing malware,” Trend Micro said in a blog post.

New Emotet campaign: How does it work?

Malicious emails in this latest Emotet campaign were found to contain a .zip attachment. Once opened, this delivers a Word document that dupes the user into enabling a malicious macro, researchers said.

Although Microsoft disabled VBA macros in Windows by default in 2022, Emotet's malicious documents "deploy social engineering techniques to trick users into enabling macros to allow the attack to proceed as intended".

Finally, once enabled this macro downloads a malicious payload (DLL) to infect the device.

A key concern in this campaign is that this iteration of Emotet uses large file sizes to bypass security scans and endpoint protection processes. Each malicious email includes a 600kb zip file which contains a Word document of over 500mb, researchers said.

Binary padding isn't an uncommon method of malware obfuscation. It attempts to exploit the file size limitations in security products by inflating the malicious payloads' file sizes - a method which can trick scanning tools into bypassing the file altogether.

“Malicious actors use zip compression to transport the relatively small files via email and HTTP, before decompression is used to inflate the files to evade security solutions. Finally, reconnaissance activities are performed either via IP configs or through the affected machine’s system information,” researchers said.

Emotet remains resilient and dangerous

Trend Micro researchers said the Emotet resurgence shows that it remains a “prolific and resilient” threat for organisations globally.

The botnet has survived previous takedowns led by law enforcement, including a notable disruption of its infrastructure in 2021.

In this instance, a joint operation between Europol and international law enforcement agencies from the UK, US, and France seized control of several hundred servers. The takedown granted a reprieve for hundreds of victims infected with malware.

While this appeared to put a major dent in the operation, within a year researchers observed another resurgence of the botnet, revealing that its infrastructure had “almost doubled” in the space of a few months.

Research from Proofpoint in November 2022 found that after another hiatus period, Emotet was responsible for hundreds of thousands of daily attacks, once again securing its place as a “primary facilitator” of malware delivery.

Trend Micro suggested that organisations will continue to face growing threats from Emotet in the coming months, noting that “it would not be surprising to see it evolve further in future attacks” by employing alternative malware delivery methods.

Threat actors are also expected to adopt new evasion techniques and integrate “additional second and even third-stage payloads into its routine”.