The Emotet malware is seeing a surge in popularity, and, probably, it’ll soon transition to new payloads that are recognized by fewer antivirus engines. Last month, security researchers monitoring the botnet saw a tenfold rise in emails delivering dangerous payloads.
Emotet is a self-propagating customizable trojan that may stay on the host for a long time. It may steal user data, do network reconnaissance, move laterally, or drop additional payloads, like Cobalt Strike and ransomware. It has been steadily developing since the beginning of the year, but its operators may be moving into high gear now.
According to a study issued today by Kaspersky, Emotet activity increased dramatically from February to March, increasing from 3,000 to 30,000 emails. English, Hungarian, French, Italian, Spanish, Norwegian, Russian, Polish, Slovenian, and Chinese are among the languages primarily used in these messages.
Emotet distributors are recognized for altering the themes regularly to capitalize on seasonal interest shifts. They’re taking advantage of the Easter holiday this time. In March 2022, Check Point issued a study that listed Emotet as the most widespread and active malware. Kaspersky revealed the continuing Emotet email distribution operations use discussion thread hijacking techniques similar to those used in Qbot attacks related to the same operators.
“Cybercriminals intercept already existing correspondence and send the recipients an email containing a file or link, which often leads to a legitimate popular cloud-hosting service,” as stated by Kaspersky.
“The aim of the email is to convince users to either (i) follow the link and download an archived document and open it – sometimes using a password mentioned in the email, or (ii) simply open an email attachment,” as per the researchers.
Since the threat actors have access to the previous message, it is pretty straightforward for them to present the attachment as a continuation of the conversation with colleagues. The malware operators have also migrated to 64-bit loaders and stealer modules on Epoch 4, one of the botnet’s subgroups that runs on other infrastructure, according to the Cryptolaemus security research organization, which is keeping a close eye on Emotet botnet activities. Previously, 32-bit code was used.
Cryptolaemus researchers said that the changeover is not evident on Epoch 5, but the wait is anticipated because Epoch 4 is often used as a development testbed for Emotet operators. The detection rate for Epoch 4 has already decreased by 60%, which is thought to be this adjustment’s direct outcome.