In time for the Christmas, Emotet sent the ‘gift’ of Trick Bot.
After a gap of almost 2 months, the Emotet botnet has returned with updated payloads & a campaign that is hitting 100,000 targets every day.
Emotet started life as a banking trojan in 2014 & has continually evolved to become a full-service threat-delivery mechanism. It can install a collection of malware on victim machines, including information stealers, email harvesters, self-propagation mechanisms & ransomware.
Democratic National Committee
It was last seen in volume in Oct., targeting volunteers for the US Democratic National Committee (DNC); & before that, it became active in July after a 5 month break, using the Trick bot trojan. Before this, in Feb., it was seen in a campaign that sent SMS messages pretending to be from victims’ banks.
“The Emotet botnet is one of the most prolific senders of malicious emails when it is active, but it regularly goes dormant for weeks or months at a time,” observed Brad Haas, researcher at Cofense, in a blog.
“This year, one such hiatus lasted from Feb. through mid-July, the longest break Cofense has seen in the last few years. Since then, they observed regular Emotet activity until the end of Oct., but nothing from that point until today.”
The botnet is also staying true to form in terms of payloads, researchers explained. “In Oct., the most common secondary payloads were Trick Bot, Qakbot & ZLoader; today we observed Trick Bot,” according to Haas.
The Trick Bot malware is a well-known & sophisticated trojan 1st developed in 2016 as a banking malware. Like Emotet, it has a history of transforming itself & adding new features to evade detection or advance its infection capabilities.
Users infected with the Trick Bot trojan will see their device become part of a botnet that attackers use to load 2nd-stage malware – researchers called it an “ideal dropper for almost any additional malware payload.”
Typical consequences of Trick Bot infections are bank-account takeover, high-value wire fraud & ransomware attacks. It most recently implemented functionality designed to inspect the UEFI/BIOS firmware of targeted systems. It has made a serious resurgence following an Oct. takedown of the malware’s infrastructure.
Several security firms found the latest campaign, with Proofpoint noting via Twitter, “We’re seeing 100k+ messages in English, German, Spanish, Italian etc. Lures use thread hijacking with Word attachments, pw-protected zips & URLs.”
Thread hijacking is a trick Emotet added in the Autumn, flagged by researchers at Palo Alto Networks. The operators will insert themselves into an existing email conversation, replying to a real email that is sent from a target. The recipient has no reason to think the email is malicious.
Sherrod DeGrippo, Senior Director of Threat Research & Detection at Proofpoint, explained that the campaign this week is pretty standard fare for Emotet.
“Our team is still reviewing the new samples & thus far we’ve only found minor changes. E.g., the Emotet binary is now being served as a DLL instead of an .exe,” DeGrippo suggested.
“We typically observe 100s of 1,000s of emails per day when Emotet is operating. This campaign is on par for them. As these campaigns are ongoing, we are doing totals on a rolling basis. Volumes in these campaigns are similar to other campaigns in the past, generally around 100,000 to 500,000 per day.”
She added that the most interesting thing about the campaign is timing.
“We typically see Emotet cease operations on Dec. 24 through early Jan.,” she noted. “If they continue that pattern, this recent activity would be incredibly short & unusual for them.”
Malwarebytes researchers meanwhile noted that the threat players are alternating between different phishing lures in order to social-engineer users into enabling macros – including COVID-19 themes. The researchers also observed the Emotet gang loading its payload with a fake error message.
Haas’ Cofense team observed the same activity, noting that it marks an evolution for the Emotet gang.
“The new Emotet maldoc includes a noticeable change, likely meant to keep victims from noticing they’ve just been infected,” he commented. “The document still contains malicious macro code to install Emotet, & still claims to be a “protected” document that requires users to enable macros in order to open it.
Old & New Versions
The old version would not give any visible response after macros were enabled, which may make the victim suspicious.
The new version creates a dialog box saying that “Word experienced an error trying to open the file.” This gives the user an explanation why they don’t see the expected content & makes it more likely that they will ignore the entire incident while Emotet runs in the background.”
DeGrippo outlined that an initial look at the emails indicates that some of the hijacked threads ask recipients to open a .zip attachment & provide a password for access.
The malware’s resurgence, though lacking in any dramatic developments from previous activity, should be watched by administrators, researchers commented.
“Emotet is most feared for its alliances with other criminals, especially those in the ransomware business. The Emotet – Trick Bot – Ryuk triad wreaked havoc around Christmas time in 2018,” according to Malwarebytes.
“While some threat actors observe holidays, it is also a golden opportunity to launch new attacks when many companies have limited staff available.
This year is even more critical in light of the pandemic & the recent SolarWinds debacle. We urge organisations to be particularly vigilant & continue to take steps to secure their networks, especially around security policies & access control.”