Recent analysis of Emotet activity has revealed a shift away from malicious Office documents to drop malware

cyber security, botnets, security, microsoft

Shutterstock

The cyber criminal group operating the resurgent Emotet botnet have been observed trialling new attack techniques after Microsoft’s new rules on macro-enabled documents come into force.

Attributed to Threat Actor 542 (TA542), Proofpoint researchers said Emotet has been observed taking a ‘spring break’ with low levels of activity coinciding with observed changes in attack methodology.

Emotet has typically exploited weak rules on macro-enabled Microsoft Office documents to deliver the malware payload to victims, but now Microsoft has made the default handling of macro-enabled documents more secure, its attack vectors are seemingly about to change. 

In a report published today, Proofpoint said it observed Emotet moving away from malicious Office documents and instead is now opting to include OneDrive URLs in spam email campaigns that lead to the download of a zip archive containing XLL files that drop Emotet malware.

The malicious emails are typically designed to lure victims with one-word subject lines such as ‘Salary’ with the zip archive files adopting similar file names as the original lure: ‘Salary_new.zip’ was one example which contained XLL file names such as ‘Salary_and_bonuses-04.01.2022.xll’.

The XLL files will drop and run Emotet which uses the Epoch 4 botnet, Proofpoint said. It’s a new attack method, the timing of which – coinciding with Microsoft’s more secure handling of VBA macros – is not a coincidence.

Asked whether the trial of new attack tactics, techniques, and procedures (TTPs) was linked to the new rules on macro-enabled Office documents, Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, said it “absolutely” was.

“This is something threat actors who are agile and experienced like TA542 will likely continue to do as time goes on,” she said to IT Pro. “The Microsoft choice to make changes to default handling of macro documents has implications on the threat landscape and this could be a part of threat actors making decisions to leverage new attack chains that aren’t impacted by that decision.

“Malicious macro documents are a large part of the threat landscape, but they’re not the only option. We regularly observe actors using container files like .iso’s, for example. Threat actor groups will continue to experiment, and early signs point towards XLL files being one direction the landscape may shift toward.”

Microsoft announced changes to the default handling of VBA macros in February, the rules of which came into force this month. It also said it would disable XL4 macros last year, both moves were made to stymie cyber attacks using this method of payload delivery.

IT Pro asked Proofpoint for data on the number of successful Emotet attacks it has observed, and the number of Emotet attacks taking place since its 2021 resurgence, but it was unable to share the data.

Other cyber security outfits, such as Black Lotus Labs, have published their findings after tracking Emotet’s new version, saying that in March 2022, unique Emotet detections were in the tens of thousands per day. Check Point also said it was the most prevalent malware strain it tracked in March 2022.

“After months of consistent activity, Emotet is switching things up,” said DeGrippo. “It is likely the threat actor is testing new behaviours on a small scale before delivering them to victims more broadly, or to distribute via new TTPs alongside its existing high-volume campaigns.

“Organisations should be aware of the new techniques and ensure they are implementing defences accordingly.”

TECH NEWS RELATED

The latest Microsoft 365 update comes about two years too late

This Tool Now Helps You Install Windows 11 on Unsupported PCs

rawf8/Shutterstock.com Rufus is a popular USB formatting utility that can also be used to create installation media for Windows, Linux distributions, and other operating systems. Now it can help you install Windows 11 on unsupported PCs. Rufus 3.19 Beta was released last week, which adds a few new options ...

View more: This Tool Now Helps You Install Windows 11 on Unsupported PCs

NASA mission aims to study ice and water on the moon's surface

Credit: NASA In the fall of 2023, a U.S. rover will land at the south pole of the moon. Its mission: to explore the water ice that scientists know lurks within the lunar shadows, and which they believe could help sustain humans who may one day explore the moon ...

View more: NASA mission aims to study ice and water on the moon's surface

Blizzard will purchase 100-person Spellbreak studio to help make WoW content

But Spellbreak will shut down in 2023 after failing to hit "escape velocity."

View more: Blizzard will purchase 100-person Spellbreak studio to help make WoW content

Grab an Unlocked Surface Duo for Just $420 With This Early Prime Day Deal

This half-phone, half-tablet foldable features two screens for better productivity, streaming, gaming and more.

View more: Grab an Unlocked Surface Duo for Just $420 With This Early Prime Day Deal

Patent drawings for Toyota GR GT3 race car surface

Toyota unveiled the wild GR GT3 race car concept at the 2022 Tokyo Auto Salon back in January, which the automaker hinted could be used as the basis for a customer racing program. Now patent drawings have surfaced that may reveal the version of the race car destined for ...

View more: Patent drawings for Toyota GR GT3 race car surface

Persona meets Guitar Hero in upcoming rhythm game Loud

Persona’s coming-of-age story and stylish art style meet Guitar Hero’s rock-n-roll gameplay in rhythm adventure Loud, available now for your Steam wishlist

View more: Persona meets Guitar Hero in upcoming rhythm game Loud

Do I need Xbox Live to play Warzone?

Image via Activision Call of Duty: Warzone is a free-to-play multiplayer game available on multiple platforms. The popular Battle Royale has a massive player base on consoles including Xbox One and Xbox Series X|S. Being an online experience, do players need an Xbox Live subscription to play Warzone Pacific? ...

View more: Do I need Xbox Live to play Warzone?

Do I need MCC to play Halo Reach? – Answered

Microsoft Teams on Web Gets New Features for Small Businesses

NZXT Launches Its First Lag-Free 4K Capture Card

Call of Duty Vanguard Voice Chat or Mic not working on PC [Fixed]

The Day Before unpaid devs work “willingly for a common cause”

How to password protect folders on Windows

NZXT Signal 4K30 Capture Card Review: Lossless High-Quality Footage

Microsoft Azure FabricScape bug let hackers hijack Linux clusters

Amazon will spin off its cloud business in the future – valued at $3 trillion

The 36 Best Windows Command Prompt Keyboard Shortcuts

Microsoft Office “Follina” Flaw Is Being Used for Fancy Bear Phishing Campaign

Blizzard's Biggest Acquisition In 10 Years Will Help Meet "Voracious" Demands Of WoW Players

OTHER TECH NEWS

Top Car News Car News