- The once prolific threat actor behind the Emotet botnet has quietly begun testing new techniques in preparation for what is expected to be a new high-volume campaign, according to security researchers at Proofpoint.
- Researchers earlier this month observed a low volume of emails during a quiet "spring break" period for the threat actor. Proofpoint observed the threat actor sending out OneDrive URL’s, which hosted zip files that contained Microsoft Excel add-in (XLL) files that dropped Emotet malware onto target computers.
- The new activity comes more than a year after Emotet was disrupted in January 2021 by an international coalition of law enforcement agencies, including the FBI, the Dutch National Police and numerous other agencies across Europe.
Emotet was widely considered one of the most prolific botnets in recent history. At the time of the international crackdown in January 2021, Emotet had infected more than 1.6 million computers globally. It cost hundreds of millions of dollars in damage, according to the Department of Justice.
The law enforcement action disrupted the Emotet activity, but did not completely shut down the operation. Emotet, linked to the threat actor TA542 or Mummy Spider, began to reemerge around November 2021, according to researchers.
“TA542 resumed its high volume threat activity attempting to distribute Emotet malware via email,” Sherrod DeGrippo, VP threat research and detection at Proofpoint said. “The January law enforcement activity was focused on disrupting the botnet infrastructure and did not include arrests."
A key reason for Emotet threat actor testing the new techniques is likely linked to recent actions by Microsoft to cut off its previous attack techniques, according to Proofpoint researchers. Microsoft in February announced it would begin blocking Visual Basic for Application macros by default starting in April. In July 2021, Microsoft announced plans to also disable XL4 macros.
In the U.S. alone, Emotet has compromised more than 45,000 computers. The threat actor was included in an advisory by the Cybersecurity and Infrastructure Security Agency as a Russia-aligned cybergroup.
Emotet has previously been used to deploy TrickBot malware, which has often been used to deploy ransomware, according to CISA.