The threat actor behind the prolific Emotet botnet is testing new attack methods on a small scale before integrating them into its larger-volume malspam campaigns, potentially in response to Microsoft’s decision to disable Visual Basic macros for Applications (VBA) by default on its products. .
Calling the new activity a “deviation” from typical group behavior, Proofpoint alternatively mentioned the possibility that the latest round of phishing emails distributing the malware shows that operators are now “engaged in more selective and limited attacks alongside typical large-scale email campaigns”.
Emotet, the work of a cybercrime group hunted down as TA542 (aka Mummy Spider or Gold Crestwood), staged something of a revival late last year after a 10-month hiatus following a coordinated law enforcement operation to destroy its attack infrastructure .
Since, Emotet campaigns targeted thousands of customers with tens of thousands of messages across multiple geographies, with message volume exceeding one million per campaign in some cases.
New ‘low-volume’ email campaign analyzed by corporate security firm involved use of salary-themed decoys and OneDrive URLs hosting ZIP archives containing Microsoft Excel Add-in files (XLL), which, when executed, deletes and executes the Emotet. payload.
The new round of social engineering attacks allegedly took place between April 4, 2022 and April 19, 2022, when other widespread Emotet campaigns were suspended.
The lack of macro-enabled Microsoft Excel or Word attachments is a significant change from previously observed Emotet attacks, suggesting the threat actor is moving away from the technique to circumvent Microsoft’s plans to to block VBA macros by default from April 2022. .
The development also comes as malware writers last week solved a problem which prevented potential victims from being compromised when opening weaponized attachments.
“After months of constant activity, Emotet is changing things,” said Sherrod DeGrippo, vice president of research and threat detection at Proofpoint.
“It is likely that the threat actor will test new behaviors on a small scale before releasing them more widely to victims, or distributing them via new TTPs alongside their existing high-volume campaigns. Organizations should be aware of the new techniques and ensure that they implement defenses accordingly.”