The Emotet malware is experiencing a surge in popularity, and it’s likely that it’ll soon transition to new payloads that are recognized by fewer antivirus engines.
Last month, security researchers monitoring the botnet noticed a tenfold rise in emails delivering dangerous payloads.
Emotet is a self-propagating modular trojan that can stay on the host for a long time. It can be used to steal user data, do network reconnaissance, move laterally, or drop additional payloads, such as Cobalt Strike and ransomware.
It has been steadily developing since the beginning of the year, but its operators may be shifting into high gear now.
An increase in distribution
According to a report released today by Kaspersky, Emotet activity increased dramatically from February to March, increasing from 3,000 to 30,000 emails.
English, French, Hungarian, Italian, Norwegian, Polish, Russian, Slovenian, Spanish, and Chinese are among the languages utilized in these messages.
Emotet distributors are recognized for altering the themes on a regular basis to capitalize on seasonal interest shifts. They’re taking advantage of the Easter holiday this time.
In March 2022, Check Point produced a report that listed Emotet as the most prevalent and active malware.
The ongoing Emotet email distribution campaigns, according to Kaspersky, use discussion thread hijacking techniques similar to those used in Qbot campaigns related to the same operators.
“Cybercriminals intercept current communications and send recipients an email containing a file or link that often links to a legitimate popular cloud-hosting provider,” says the report. Kaspersky
“The goal of the email is to persuade users to either I open an email attachment or (ii) follow the link and download an old document and access it – sometimes using a password specified in the email,” the researchers write.
Because the threat actors have access to previous correspondence, it is relatively easy for them to present the attachment as a continuation of the conversation with colleagues.
Change to 64-bit mode
The malware operators have also switched to 64-bit loaders and stealer modules on Epoch 4, one of the botnet’s subgroups that runs on separate infrastructure, according to the Cryptolaemus security research group, which is keeping a close eye on Emotet botnet activity. Previously, 32-bit code was used.
#Emotet Update – It appears that Ivan has been active since laying an egg for Easter. Emotet on Epoch 4 has migrated to 64-bit loaders and stealer modules as of around 14:00UTC on 2022/04/18. Except for the occasional loader quirks, everything was 32-bit previously. 1/x April 19, 2022 — Cryptolaemus (@Cryptolaemus1)
The changeover is not evident on Epoch 5, but the wait is to be expected, according to Cryptolaemus researchers, because Epoch 4 is often used as a development testbed for Emotet operators.
The detection rate for Epoch 4 has already decreased by 60%, which is thought to be a direct result of this change.
