The Emotet malware operators adopted new campaign strategies

October 18, 2022
Emotet Malware Botnet Cyberattack Campaign TA542 Mummy Spider Hacker Group

A new cybersecurity analysis has revealed that the operators of Emotet have been upgrading their malware constantly since its reemergence last year. The Emotet operators are also known as the Mummy Spider group or the TA542.

Based on a recent report from a cybersecurity research firm, the malware has adopted new strategies and infrastructure to bypass security detection and avoid analysis. Moreover, the researchers have stated that the Emotet group uses different attack transmitters while attempting to stay hidden from security solutions.

The most used vectors for spreading the botnet are spam messages, embedded URLs, and malicious documents. The actors bet on these vectors to propagate their malware through unaware downloads.

The group dropped the payload earlier this year using three distinct infection methods. The researchers have identified several compromised Excel 4.0 macros, VBA macros with PowerShell, and Excel 4,0 macros with PowerShell script.

In several cases, the botnet operators were seen utilising authentic mshta[.]exe tool to drop the Emotet malware through a compromised HTA file.

 

The Emotet malware operators have altered their communication servers.

 

Several months after its reemergence, the Emotet authors have modified its command-and-control infrastructure. Moreover, the malware has deployed two botnet clusters called Epochs 4 and Epochs 5. These new clusters were pushed heavily by the attackers during their recent campaigns.

Additionally, more than 10,000 Emotet payloads were discovered using command-and-control servers that belong to the Epoch 5 cluster. In the study, 328 unique IP addresses were acquired by the researchers from DLL payloads, nearly 40% owned by the Epoch 5 botnet.

Furthermore, Emotet initiated two new modules to target SMB protocol and Google Chrome browsers. The actors crafted the first module to steal credit card data; the other was designed to establish movement by exploiting the SMB protocol.

Most of the sample payloads utilised in a recent campaign contained ten modules. These modules are MailPassView, WebBrowserPassView, four spam, and four ThunderbirdStealer.

Cybersecurity experts suggest that companies should enforce a zero-trust method for security defences. These firms should also employ robust authentication systems and implement network segmentation. Lastly, it is recommended to immediately adopt security updates for all software, plugins, firmware, and operating systems when available.

About the author