Several spam campaigns detected. Mealybug, the criminal group that operates Emotet, has implemented new distribution modules. Since 2022, the majority of attacks recorded by ESET have been aimed at Japan, Italy, Spain, Mexico and South Africa
ESET, a global European leader in the cybersecurity market, has published an account of the movements of the Emotet botnet since it made a comeback after being restricted in 2021. Emotet is a malware family that has been active since 2014, operated by a cybercriminal group known as Mealybug or TA542. Although it began as a banking Trojan, it later evolved into a botnet that has become one of the most widespread threats globally. In January 2021, Emotet was subject to a partial elimination thanks to the commitment and international collaboration of eight countries, coordinated by Eurojust and Europol. Emotet resumed operations in November 2021 and launched several spam campaigns, before stopping abruptly in April 2023. In the latest campaigns from 2022-2023, the majority of attacks detected by ESET were aimed at Japan (nearly half), Italy, Spain, Mexico and South Africa.
"Emotet spreads via spam emails. It can exfiltrate information from compromised computers and distribute third-party malware. Emotet operators pay little attention to their targets, installing the malware on systems belonging to individuals, companies and large organizations," he explains Jakub Kaloč, ESET researcher who worked on the analysis.
From late 2021 to mid-2022, Emotet was primarily spread through MS Word and MS Excel documents with embedded VBA macros. In July 2022, Microsoft changed the game for all malware families such as Emotet and Qbot – which they had used as a distribution method for phishing emails with malicious files – by disabling VBA macros in documents obtained from the Internet.
"The (authorities') disabling of Emotet's main attack vector pushed its operators to look for new ways to compromise their targets. Mealybug began experimenting with malicious LNK and intrusion and a slightly different social engineering technique,” explains Kaloč. “The reduction in the size of the attacks and the continuous changes in the approach lead us to think that the results obtained have not been satisfactory.”
Later, Emotet inserted a decoy into MS OneNote, and despite warnings that this action could lead to malicious content, people tended to interact with it.
After its reappearance, it received several updates. Noteworthy features include the modification of the cryptographic scheme and the implementation of new coverage techniques to protect the botnet modules. Emotet operators have invested significant efforts to avoid tracking and tracing. Additionally, they have implemented several new modules and improved existing ones to remain operational.
Emotet spreads via spam emails, which are often believed to be trustworthy, because they successfully use the thread hijacking technique. Before the ban, Emotet used modules called Outlook Contact Stealer and Outlook Email Stealer to steal Outlook emails and contact information. However, since not everyone uses Outlook, after the takedown, Emotet also focused on a free alternative email application, Thunderbird. Furthermore, it started using Google Chrome Credit Card Steale, to steal credit card data stored in the Google Chrome browser.
According to ESET research and telemetry, Emotet botnets have been silent since early April 2023, most likely due to the identification of a new effective attack vector. The majority of attacks detected by ESET from January 2022 to date targeted Japan (43%), Italy (13%), Spain (5%), Mexico (5%) and South Africa (4%).
For more technical information on Emotet, see the blog post “What’s up with Emotet – A brief summary of what happened with Emotet since its comeback” su WeLiveSecurity.
