After temporarily destroying its botnet, the enormously dangerous and sophisticated Trojan Emotet attacks again. Security researchers warn of new scams of the malware, whose masterminds could be in Russia.
At the end of January 2021, international investigators announced the demolition of the IT structure of the Emotet malware, which is considered the “King of Trojans”. But just a few months later, in November, security researchers around the world again noticed increased activity by the powerful malware. Now Emotet is back on top and has new scams ready to lure users into the trap.
According to the HP Wolf Security Threat Insights Report, the Trojan was again one of the most frequently detected malware samples in the past quarter, accounting for nine percent of all malware cases recorded. Checkpoint Research (CPR) assumes that 10 percent of all companies worldwide were already affected by attacks in March 2022, twice as many as in February.
The quick comeback was apparently possible because only the Emotet infrastructure was destroyed, but the masterminds remained at large. “Emotet was the most powerful botnet in the history of cybercrime. Now it has sold its strong foundation to other hackers to spread the malware quickly, mostly ransomware gangs,” said Lotem Finkelsteen, CPR’s threat researcher directs.
As before, the malware spreads via spam e-mails, with the number of attacks constantly increasing massively. HP Wolf Security saw a 28x increase sequentially. The malware is very sophisticated and deceives victims with known senders, plausible subject, direct salutation and correct signature.
This information can come from the email histories and address books of computers that have already been compromised. However, the malware also uses data from hacked websites, for example from hotels in which users who have been contacted have previously stayed.
Previously, Emotet tried to trick its victims into allowing macros in infected Word or Excel files. In principle, these are sequences of commands that are used to automate processes in Office documents. If a malicious Emotet macro was opened, the malware downloaded additional malware, such as blackmail or banking Trojans.
For this reason, macros have always been disabled and users had to accept execution before the mini-programs could start. As an additional barrier, Microsoft recently introduced a standard blocking of macros in Office documents if they come from unsafe sources.
However, the new Emotet string pullers are already counteracting this. As noted by security company Proofpoint, among others, they have recently tried new tactics, techniques, and procedures.
This includes emails with simple subjects such as “salary” or “bonuses” that no longer have attachments with infected macros. Instead, the texts contain links to ZIP archives on Microsoft’s cloud storage OneDrive. They contain Microsoft Excel add-in files (XLL) named similar to the subjects. Opening and executing these files installs malware.
According to CPR, the attackers made another interesting switch. So far, Emotet was installed first, which then loaded other malware samples. Among them was the banking Trojan Trickbot. Now it’s the other way around, according to CPR, Trickbot is now distributing new Emotet variants instead. The company estimates that in the ten months following the supposed destruction of the Emotet infrastructure alone, around 140,000 people were victims of the new attack structure in 149 countries.
Even if the backers have changed, they probably come from Russia or sympathize with the country. That comes from a publication of Cybersecurity
To protect yourself, the German Federal Office for Information Security (BSI) recommends that users follow the advice below:
– Install promptly provided security updates for operating systems and application programs (web browsers, e-mail clients, Office applications, etc.).
– Use antivirus software and keep it updated.
– Secure your data regularly (backups).
– Set up a separate user account on the computer to surf the web and write emails.
– Be careful when opening e-mail attachments (especially Office documents) even if the sender is known to you, and check the links in the messages before you click on them. In the case of a suspicious e-mail, you should call the sender and inquire about the credibility of the content.
6