The Emotet malware-delivery botnet is back after a short hiatus, quickly ramping up the number of malicious emails it’s sending and sporting additional capabilities, including changes to its binary and delivering a new version of the IcedID malware dropper.
There also are reports that Emotet also is delivering the Bumblebee malware loaders as well, according to Proofpoint analysts.
The various changes after almost four months of silence also could indicate a change of management for Emotet, which has been run by the threat group TA542 and in April was ranked as the top malware threat – affecting six percent of companies worldwide.
“Overall, these modifications made to the client indicate the developers are trying to deter researchers and reduce the number of fake or captive bots that exist within the botnet,” Proofpoint researchers wrote in a report published Wednesday. “The addition of commands related to IcedID and the widespread drop of a new IcedID loader might mean a change of ownership or at least the start of a relationship between IcedID and Emotet.”
Dropping IcedID signals that Emotet is again fully functional, acting as a delivery network for other malware families. That’s something that it hadn’t shown – beyond Cobalt Strike – since 2021 and the delivery of The Trick and Qbot, and it’s not good news.
“TA542’s return coinciding with the delivery of IcedID is concerning,” the researchers wrote. “IcedID has previously been observed as a follow-on payload to Emotet infections. In many cases, these infections can lead to ransomware.”
Comebacks are old hat for Emotet, which began life in 2014 as a banking trojan before evolving into a botnet. Law enforcement from the United States, Europe, the UK, and Ukraine in January 2021 took down Emotet’s infrastructure, sparking hope that the malware threat was over. However, the group – also known as Mummy Spider and Gold Crestwood – resurfaced in November 2021 and soon became a dominant cyberthreat.
Emotet went dark July 13 before returning November 2. The researchers wexpect the operators will continue to evolve, pushing the volume of emails higher, expanding its geographic reach – beyond the US, the UK, Europe, and Latin America to include Greece – and adopting new variants and techniques.
The changes to Emotet’s binary also indicate the threat group behind Emotet will continue to adapt.
“Cyber criminals can go dark or change tactics for a host of reasons, whether it’s in response to government or law enforcement intervention, because cyber criminals joined other groups, they’re developing new malware or trying a different business model,” Darren Guccione, co-founder and CEO of Keeper Security, told The Register. “In this case, it appears developers are trying to deter researchers as the group improves their malware in order to stay one step ahead in a continuously evolving threat landscape.”
Chris Clements, vice president of solutions architecture at Cerberus Sentinel, said that TA542 is allegedly based in Ukraine, therefore it could have been disrupted because of the fighting with Russia.
“Heck, they could have just wanted to take a vacation and enjoy their massive earnings for a while,” Clements told The Register. He added that it wouldn’t be surprising if there were new people in charge. “It’s very possible that original members decided they had stolen enough money and it was time to retire and hand the reins to new people.”
The volume of attacks also is significant, Yotam Segev, co-founder and CEO at Cyera, told The Register.
“Because it’s a known malware, various security vendors know how to block it,” Segev said. “In order to keep the botnet alive, higher volume and expanding the geographic boundaries is a must.”
The malicious content delivered via emails is still is an Excel attachment or password-protected zip attachment containing an Excel file. However, the Excel file now includes instructions for victims to copy the file to a Microsoft Office Template and run it from there so that the contained macros will execute without warnings or user interaction.
“However, while moving a file to a template location, the operating system asks users to confirm, and [says] that administrator permissions are required to do such a move,” they wrote. “It remains unclear how effective this technique is.”
They also saw changes before November indicating developers were working on the botnet – including the use of the XMRig Monero cryptominer and a new module that gathers information from an infected system, including the hostname, username, OS information, CPU, and memory size.
Since November 2, Proofpoint has found new commands, new check-in packet information, and an updated packer in Emotet. The threat group also reimplemented the communications loop – using the Windows API CreateTimerQueueEx to determine how often requests are made to the command-and-control (C2) servers.
Mistakes with the C2 servers – including IPs missing from some modules and C2 servers existing in some modules but not others – are another indication that new people are in charge. The IcedID loader variant appears to be brand new or still under development, and likely is being delivered to machines that already are compromised.
That and other changes in the variant “could indicate that more priority is being placed on the IcedID bots running on Emotet machines or that the group managing IcedID bots from malspam is different than the group managing the bots sourced from Emotet,” the researchers wrote.
Oddly, Proofpoint saw Emotet campaigns every weekday between November 2 and 11, but the activity has since stopped. The researchers do expect TA542 to return again soon. ®