The dismantling of Emoted about two years ago is one of the most successful international measures to date in the fight against cybercrime. But now the notorious botnet seems to be about to make a comeback. Because researchers from security specialist ESET have found clear signs of a comeback.

According to ESET, Emotet has already appeared in several spam campaigns. Additionally, Mealybug, the hacker group behind the botnet, has developed many new modules and revised existing ones. According to security specialists, the masterminds behind Emotet learned a lot from the takedown and invested a lot of time to prevent their botnet from being discovered. In its latest operation, targets in Italy, Spain, Japan, Mexico and South Africa were attacked.

Activities (for the moment) suspended

But since April 2023, Emotet’s activities have been suspended. However, ESET researchers do not believe in a task. On the contrary, they suspect that hackers are looking for new attack vectors. What the experts have determined since their return and how things could continue is shown in their current version. Analysis on WeLiveSecurity.

“Emotet spreads via spam emails. The malware can steal sensitive information from compromised computers and transfer third-party malware to them. Emotet operators are not very particular about their targets. They install their malware on private and IT systems, also by companies and larger organizations,” writes ESET researcher Jakub Kaloč, who collaborated on the analysis.

New attack vector

According to ESET, from late 2021 to mid-2022, Emotet spread mainly through VBA macros in Microsoft Word and Excel documents. In July 2022, Microsoft changed the game for all malware families like Emotet and Qbot – which had used phishing emails with malicious documents as a method of propagation – by disabling VBA macros in extracted documents. Internet.

Kaloč comments, “The shutdown of Emotet’s main attack vector prompted its operators to look for new ways to compromise their targets. Mealybug began experimenting with malicious LNK and XLL files. A new attack vector as effective than VBA macros.In 2023, they ran three different malspam campaigns, each testing a slightly different path of intrusion and a different social engineering technique.

However, the reduced range of attacks and constant changes in approach may indicate dissatisfaction with the results, the researcher said. Emotet then integrated a decoy into Microsoft OneNote. Despite warnings upon opening that this action could lead to malicious content, users would have clicked on it.

Emotet is under development

After its reappearance, Emotet received several updates. The most notable features are that the botnet changed its cryptographic scheme and implemented several new obfuscations to protect its modules, according to the analysis. Since their return, Emotet operators have gone to great lengths to prevent their botnet from being monitored and tracked. In addition, they would have implemented several new modules and improved the existing modules to remain profitable.

According to ESET, Emotet is distributed via spam emails. People often trusted these messages because criminals managed to hijack chat histories in emails using special techniques. Prior to the takedown, Emotet used modules we call Outlook Contact Stealer and Outlook Email Stealer, which were capable of stealing emails and contact information from Outlook. However, since not everyone uses Outlook, after returning, Emotet also focused on a free alternative email app: Thunderbird. Additionally, the botnet started using the Google Chrome Credit Card Stealer module, which steals credit card information stored in the Google Chrome browser.

The calm before the storm?

According to ESET telemetry and researchers’ impression, Emotet botnets have been silent since early April 2023. This is likely due to the fact that a new effective attack vector has been found. Japan (43%), Italy (13%), Spain (5%), Mexico (5%) and South Africa (4%) targeted most of the attacks detected by researchers in security since January 2022 to date.

www.eset.com