top of page
  • Writer's pictureInception Security

Emotet Changing Techniques

Phishing attacks remain the number one technique used in cyberattacks. Some of the most common phishing attacks leveraged attachments to facilitate the initial infection chain. We disproportionally see Microsoft Office documents and PDF files used to embed the malicious code as far as the attachments themselves go. When we say Microsoft Office documents, we refer to files created by the Microsoft Office suite such as Microsoft Word, Excel, PowerPoint, etc. Historically we would see the threat actors insert malicious code into these documents using macros.

Macro malware typically hides in Microsoft Office files and is delivered as email attachments. These files use names intended to entice or prompt users into opening them. They often look like invoices, bank receipts, and legal documents to create urgency. Macro malware was common because the macros ran automatically once a document was opened. However, in recent versions of Microsoft Office, macros are now disabled by default. Malware authors now need to convince users to turn on macros so that their malware can run or change their techniques.

What is Emotet?

Emotet is a Trojan primarily spread through spam emails commonly referred to as malspam. The infection may arrive via a malicious script, macro-enabled office document files, and malicious links. In addition, Emotet emails often contain familiar branding designed to look like legitimate emails. Emotet may persuade users to click the malicious files by using tempting language about "Your Invoice," "Payment Details," or possibly an upcoming shipment from well-known parcel companies.

Emotet has gone through a few iterations. Early versions arrived as malicious JavaScript files. Later versions evolved to use macro-enabled documents to retrieve the virus payload from the attacker's command and control (C&C) servers. In addition, Emotet uses several techniques to prevent detection and analysis. Most notably, Emotet knows if it's running inside a virtual machine (VM) and will lay dormant if it detects a sandbox environment, a tool cybersecurity researchers use to observe malware within a safe, controlled space.

Emotet also uses C&C servers to receive updates. This works the same way as the operating system updates on your PC and can happen seamlessly without outward signs. Unfortunately, this allows the attackers to install updated software versions, install additional malware such as other banking Trojans, or act as a dumping ground for stolen information such as financial credentials, usernames and passwords, and email addresses.

Emotet has new techniques?

Researchers at Proofpoint observed a low volume of emails during the threat actor's quiet "spring break" period. Additionally, Proofpoint observed the threat actor sending out OneDrive URLs, which hosted zip files that contained Microsoft Excel add-in (XLL) files that dropped Emotet malware onto target computers. This technique is uncharacteristic as macro malware has always been used in the past. A key reason for Emotet threat actor testing the new methods appears to be linked to the recent actions by Microsoft to disrupt its previous attack techniques. Microsoft in February announced it would begin blocking Visual Basic for Application macros by default starting in April. In July 2021, Microsoft announced plans also to disable XL4 macros. As a result, your organization can take steps to reduce the likelihood of being another victim of an Emotet phishing email.

  1. Reduce the countries you accept emails from.

  2. Block ZIP attachments coming from external email addresses.

  3. Implement an email security gateway that can inspect email attachments.

  4. Enforce MFA on all email accounts to ensure an internal email account cannot be used to send phishing emails.

  5. Configure SPF, DKIM, and DMARC for your email domains.

  6. Implement mandatory and routine security awareness training.

  7. Implement an EDR and deploy it across all supported hosts.

The recently published Cyber Risk Index, a study by Trend Micro and the Ponemon Institute, indicates that over three-quarters of organizations expect to suffer a cyberattack in the next 12 months. One-fourth of which says an attack is "very conceivable."According to the report, more than 80% of the 3,400 CISOs, IT professionals, and managers that completed the survey suggested their organizations were targeted with one or more successful cyberattacks in the past year, and 35% suffered seven or more attacks, which covers the second half of 2021.

We are here to help!

Are you looking for ongoing advisory services to assist in identifying vulnerabilities and security policies that should be in place and help improve your security posture? The team at Inception Security™ has been leveraged to enhance the security posture of fortune 100 companies, small and medium-sized businesses. Our team has a depth of knowledge in the cybersecurity industry and will be able to provide value to your business right away.

Contact Inception Security if your company is looking for advisory services.


bottom of page