Changes in Emotet Behaviour in Ongoing Spam Campaigns

Delaware, USA – September 20, 2019 – The triumphant return of Emotet botnet with the new campaign this week made a lot of noise, and in addition to the scale of the campaign, researchers noted significant changes in both the botnet’s infrastructure and the infection methods. The campaign started on Monday, cybercriminals attacked users from the United States, Poland, Germany, and Italy, but during the campaign, the botnet began sending spam emails to Switzerland, Austria, Spain, and the United Kingdom. The Cisco Talos group discovered that attackers continue to use customized templates based on previously stolen emails, which they started using in April, shortly before the botnet shut down. New campaigns – new templates. At the beginning of the campaign, the attackers convinced their victims to enable macro by asking to “Accept license agreement” but soon changed this. Now, when a document is double-clicked, the victim is warned that the document is open in the Protected view and it is necessary to click Enable Editing button or the document will be displayed incorrectly. Further research showed that now spam emails may contain a malicious link instead of document attachment and this can bypass filters that block emails with attachments.

Another major innovation affects the use of WScript instead of running PowerShell commands. Now part of the malicious attachments create an obfuscated JSE file and execute it using WScript. And last but not least, Emotet botnet now is split into 3 ‘Epochs’ so attackers have three different botnets with distinct C&C infrastructures that use separate RSA keys for communications. Using multiple Epochs simplifies the operation of an overgrown botnet, and also allows cybercriminals to more accurately focus attacks on specific countries.
Content available on Threat Detection Marketplace:
Rule digest for ‘PowerShell’ technique: https://www.peerlyst.com/posts/rule-digest-for-powershell-technique-t1086-part-1-soc-prime
Execution wscript.exe – https://tdm.socprime.com/tdm/info/1087/
WScript or CScript Dropper – https://tdm.socprime.com/tdm/info/1207/