The hackers behind Emotet — one of the longest-tenured and most prolific malware variants dating back to 2014 — have been tinkering with their well-established behaviors and testing new methods on a very small and limited scale, research out Tuesday suggests.
Cybersecurity firm Proofpoint noted that the testing could be related to steps taken in February by Microsoft to block automation services, known as macros, potentially in response to Microsoft’s move to disable Visual Basic for Applications (VBA) macros by default across its products. This allows cybercrime operators to seed documents with automations that enabled malware execution.
The observed activity marks a departure from the typical Emotet approach, which usually involves high-volume email campaigns targeting victims around the world, according to Proofpoint researchers. Recent campaigns using Emotet included as many as one million messages in total, the researchers said, while this latest approach represented a small fraction of that.
Proofpoint researchers attributed the testing and tweaking to a cybercrime group behind the core development of Emotet it calls TA542, also known as “Mummy Spider.” It’s unclear where Mummy Spider is based, but an April 20 joint cybersecurity advisory from the major cybersecurity agencies in the U.S., Australia, Canada, New Zealand and the U.K. included the group in a warning about possible Russian cyber attacks.
The agencies warned that Emotet has been used by a Russian cybercrime syndicate known as Wizard Spider to deliver various forms of malware to victims around the world. An October 2020 report from cybersecurity firm CrowdStrike noted that Mummy Spider had been seen deploying Wizard Spider’s TrickBot trojan malware to machines already infected with Emotet.
Emotet was once “the most dangerous malware in the world” according to Europol, until an international coalition of law enforcement agencies broke it up in January 2021. What began as a banking trojan morphed into both prolific botnet malware — allowing compromised computers to be used in combination for other attacks — and malware that hackers increasingly employ to facilitate the delivery of additional malware, including multiple ransomware strains.
After a 10-month hiatus following January 2021’s takedown, the malware roared back into the picture. Researchers with cybersecurity firm Kaspersky on April 13 reported seeing the number of victims infected with some variation of Emotet jumping from 2,843 in February 2022 to 9,086 in March.
Proofpoint researchers noted the testing period during a lull in widespread Emotet campaigns — dubbed a “spring break” — between April 4 and April 19. The developers behind Emotet were developing and testing new attack vectors during this time using compromised email accounts, not a spam module used in other Emotet campaigns, the company said. The emails had simple, one-word subject lines and contained a single Microsoft OneDrive link and no other content.
Those links led to OneDrive-hosted zip files containing Microsoft Excel files that, if executed, loaded the Epoch 4 botnet.
Other researchers have pointed to additional tweaks to the typical Emotet behaviors in recent days, such as using “.lnk” files, which are Windows shortcuts that open other files.