The Emotet group has made itself known again after developing new strategies to spread and distribute malware by utilising new macro-laden Excel files and several layers of obfuscation techniques.
The researchers observed that the new Emotet infection method utilises multiple phases, including different file types of scripts, before disseminating the payload that contains an obfuscating feature to bypass detections.
During the activation of the infection process, it will download a macro and operate an HTML app which will continue to download another two stages of PowerShell for acquiring and running the final payload.
Since the early weeks of December last year, the threat actors delivered an Excel file with a hidden Excel 4.0 macro through socially engineered emails.
Researchers noted that the Emotet group could execute different attach chains since they possess several attack variations.
The latest Emotet infection has several variations for distributing compromised Excel documents. In some instances, Emotet utilised a password-protected [.]ZIP file attached to an email. Moreover, in a few other cases, the group was seen by researchers using an Excel spreadsheet directly included in the email being spread to targets.
In this cybercriminal campaign, threat actors have utilised email thread hacking and other attack strategies. A message sent by the botnet in January used a pilfered email thread from June in the same year. The email utilised a bait that included an encrypted [.]ZIP file to bypass security solutions and a password to access the file for the victim to access the contents.
Moreover, the encrypted [.]ZIP file contained a single Excel document attached with Excel 4,0 macros. Once the macro is launched, a remote HTML app is executed to download and operate additional PowerShell code, which retrieves second-stage PowerShell to acquire the Emotet binary.
The Emotet group is still a significant threat to all security providers and is known for continually upgrading its infection methods and delivery techniques to bypass security solutions.
