ESET Research has released a comprehensive report on the resurgence of the notorious Emotet botnet after a brief takedown. Emotet, a malware family that has been active since 2014, is operated by the cybercrime group Mealybug or TA542. Originally designed as a banking trojan, Emotet later evolved into a global botnet, becoming one of the most significant threats worldwide. In January 2021, a limited takedown effort targeted Emotet, led by Eurojust and Europol with collaboration from eight countries. However, in November 2021, Emotet made a comeback and initiated numerous spam campaigns that continued until April 2023. ESET’s latest analysis shows that during the 2022-2023 campaigns, Japan was the primary target (accounting for nearly half of all attacks), followed by Italy, Spain, Mexico, and South Africa.
Emotet operates by propagating through spam emails, capable of exfiltrating data from compromised computers and delivering third-party malware. Its targets are diverse, ranging from individuals to large organizations and corporations. ESET researcher Jakub Kaloč, who was involved in the analysis, explains, “Emotet spreads via spam emails. It can exfiltrate information from, and deliver third-party malware to, compromised computers. Emotet’s operators are not very picky about their targets, installing their malware on systems belonging to individuals, companies, and bigger organizations.”
During the latter part of 2021 and the first half of 2022, Emotet mainly spread through malicious Microsoft Word and Excel documents with embedded VBA macros. However, in July 2022, Microsoft’s actions disrupted this method by disabling VBA macros in documents downloaded from the internet, affecting not only Emotet but other malware families like Qbot as well. Forced to adapt, the Emotet operators turned to malicious LNK and XLL files but faced difficulties in finding an equally effective attack vector. Throughout 2023, they conducted three distinct malspam campaigns, each experimenting with different intrusion avenues and social engineering techniques. However, the attacks’ scale began to decrease, indicating possible dissatisfaction with the results.
In its revived form, Emotet underwent several upgrades, including a switch in its cryptographic scheme and the implementation of new obfuscation techniques to safeguard its modules. The operators exerted significant effort to evade monitoring and tracking since their return. Moreover, new modules were added, and existing ones were improved to maintain profitability.
One of Emotet’s significant strategies involves email thread hijacking, leading people to trust the spam emails it sends. Before the takedown, the botnet used modules called “Outlook Contact Stealer” and “Outlook Email Stealer,” capable of pilfering emails and contact information from Microsoft Outlook. However, post-takedown, Emotet shifted its focus to target users of the free alternative email application, Thunderbird. Furthermore, it adopted the “Google Chrome Credit Card Stealer” module to pilfer credit card information stored in the Google Chrome browser.
As of April 2023, ESET research and telemetry indicate that Emotet botnets have been relatively inactive, likely due to the search for a new, effective attack vector. During the period from January 2022 to the present, ESET’s detection data shows that the majority of Emotet attacks were directed at Japan (43%), followed by Italy (13%), Spain (5%), Mexico (5%), and South Africa (4%).
