The prolific zombie botnet known as Emotet has re-emerged with new tricks designed to infect PCs carrying Windows operating systems with malicious software.

The botnet has been referred to as the most dangerous operation of its kind ever in existence. A botnet typically involves an extensive number of interconnected compromised devices. The combined power of the devices is harnessed by a bot master who used the botnet in a wide range of different types of cybercriminal activity, such as spreading malware throughout company networks and dedicated denial of service (DDoS) attacks that can knock enterprises servers and sites offline. Emotet had earned a reputation for distributing malware and crypto malware to its victims around the globe.

In 2021, its nefarious activities were effectively disrupted by a coordinated strike by various international law enforcement agencies.

Approximately 10 months after the takedown, the botnet resumed its campaigns. Emotet is now issuing millions of phishing-type emails in large scale spam campaigns. Its aim is to infect devices with malicious software that chains them into a botnet under Emotet’s control.

Small scale testing

A recent report by cybersecurity researchers of Proofpoint states that Emotet now appears to be trialling new attack methods on a small scale. These techniques could potentially later be adopted for far larger campaigns. These tricks are designed to ensure attacks become increasingly more difficult to spot, with the aim of increasing the likelihood of cyber strikes being successful.

These new attack techniques emergence has coincided with a time when experts believed widespread campaigns from Emotet had paused, with new activity only happening minimally. Past Emotet campaigns typically involve mass spam campaigns that are fully automated for ease of deployment at scale. However, in this case, evidence suggests that the phishing emails are being transmitted out in smaller batches from a human user.

New techniques revealed

One of the new campaigns involves compromised email accounts being exploited to issue spam-phishing emails that have subject lines with a single word. For example, the word “salary” to encourage curious recipients to click them open.

The body of the email includes no message, simply a OneDrive URL that hots a zip file containing Microsoft Office Excel Add-in files that are named to match the subject line. If the recipient opens and executes the files, Emotet is deployed onto the device, infecting it with malicious software.

Proofpoints, Sherrod DeGrippo, commented:

“After months of consistent activity, Emotet is switching things up. It is likely the threat actor is testing new behaviours on a small scale before delivering them to victims more broadly, or to distribute via new TTPs (Tactics, Techniques, and Procedures) alongside its existing high-volume campaigns. Organisations should be aware of the new techniques and ensure they are implementing defences accordingly. Train users to spot and report malicious email. Regular training and simulated attacks can stop many attacks and help identify people who are especially vulnerable.”

DeGrippo added that the best simulations to use are those that mimic the techniques used in real-world attacks informed by the most up-to-date threat intelligence.