After a three-month break, the Emotet malware operation resumed blasting dangerous emails on Tuesday morning while it reestablished its infrastructure and infected devices worldwide. Email attachments containing infected versions of Microsoft Word and Excel are the primary vector for spreading the infamous Emotet malware. The Emotet DLL will be downloaded and loaded into memory when the user opens one of these documents with macros turned on.
When Emotet is installed, it will wait patiently for further instructions from its C&C server. Unfortunately, it returned.
Emotet malware 2023
The Emotet botnet has restarted sending emails, according to warnings from cybersecurity firm Cofense and Emotet-tracking organization Cryptolaemus.
🚨Emotet Awakens🚨 As of 1200UTC Ivan finally got E4 to send spam. We are seeing Red Dawn templates that are very large coming in at over 500MB. Currently seeing a decent flow of spam. Septet of payload URLs and ugly macros. Sample: https://t.co/fWZ8n3PlFi 1/3 pic.twitter.com/r5uuiECWnp
— Cryptolaemus (@Cryptolaemus1) March 7, 2023
According to confirmation from Cofense to BleepingComputer, the spam campaign kicked off at 7:00 AM ET, with relatively low volumes at the moment.
“The first email we saw was around 7am EST. Volume remains low at this time as they continue to rebuild and gather new credentials to leverage and address books to target.”
What does Emotet malware look like?
Below is an example of how the threat actors are changing tactics from the previous campaign by sending emails that appear to be invoices instead of reply chains.
When you open one of these emails, you’ll usually find a ZIP file containing Word documents that are above 500 MB in size. By including unnecessary data, they increase file size and make detection by antivirus software more challenging.
A “Red Dawn” template from Emotet was used to prepare these.docx files, and readers must enable content before viewing them. We recommend that you do not click on it.
Do you know the Acer hack is confirmed? Hackers put 160GB of company data up for sale!
Microsoft saves the day
After recent changes made by Microsoft, the present method may not be very successful as Emotet rebuilds its network.
Downloaded Office documents from the Internet no longer contain macros by default as of July 2022.
Users will now be greeted with a warning explaining that macros have been disabled since the file’s origin cannot be verified when they open an Emotet document.
With this feature, people who receive Emotet emails are less likely to accidentally enable macros unless they take active steps to do so.