Security researchers have identified new variants of Emotet malware that are capable of collecting and using stolen credentials, which are then weaponized and used to distribute the malware, and security solutions are failing to block the malware.
Emotet is widely regarded as the most dangerous malware threat. While action was taken by a coalition of law enforcement agencies, which shut down the infrastructure of Emotet in January 2021, the Emotet gang has since rebuilt and improved its infrastructure and spent months rebuilding its botnet. Over the past few months, the number of infected devices has soared.
Emotet has evolved considerably since 2014 when it was first detected. Initially, Emotet was a banking Trojan but has had further modules added over the years that have turned the malware into a full-service malware delivery mechanism. Emotet malware is commonly used to infect devices with a range of different banking Trojans, malware, and ransomware variants.
According to researchers at Deep Instinct, who have recently detected several new Emotet variants, the Emotet gang appears to be working once again at full power, but perhaps most troubling, they are using more sophisticated tactics, techniques, and procedures and they are succeeding in bypassing standard email security tools. Massive campaigns have been detected distributing the malware in recent months. In Feburary and March, 2022, the gang targeted Japanese businesses but then moved on to massive campaigns targeting other regions in April and May this year. The researchers said the levels of infected devices have increased by 2,700% from Q4, 2021 to Q1, 2022.
Emotet malware is primarily distributed via email, using attachments that contain malicious code. According to the researchers, around 45% of the analyzed Emotet samples used Office attachments in emails. Their analysis revealed 33% to be spreadsheets, 29% were executables or scripts, 22% were archives, and 11% were documents.
Around 20% of Emotet samples leveraged an ancient bug in Microsoft Office. A patch was released by Microsoft in 2017 to fix the memory corruption vulnerability, yet this vulnerability has been exploited in countless attacks. If the flaw is exploited, the attackers can remotely execute code. Around 9% of all Emotet samples analyzed by the researchers were new variants that had never been seen before and were therefore unlikely to be detected by email security solutions and antivirus software. 14% of samples were not detected by at least one email security gateway prior to capture. To block these new threats, rather than using signature-based detection methods, cybersecurity solutions need to have AI/machine learning capabilities that can identify and block previously unseen malware variants.