Emotet is a well-known botnet and trojan which distributes follow-on malware via Windows platforms. After a 10-month pause amid a coordinated law enforcement operation to take down its assault infrastructure, Emotet, the work of a cybercrime organization known as TA542 (formerly known as Mummy Spider or Gold Crestwood), marked its comeback late last year.
Since then, Emotet campaigns have sent tens of thousands of messages to thousands of clients across many geographic regions, with message volumes exceeding one million in some situations. The threat actor behind the popular Emotet botnet is experimenting with new attack methods on a small scale before incorporating them into larger-scale spam campaigns, possibly in response to Microsoft's decision to deactivate Visual Basic for Applications (VBA) macros by default across all of its products.
According to analysts, the malicious actors behind Emotet, TA542, are experimenting with new approaches on a micro level before deploying them on a larger scale. The current wave of attacks is claimed to have occurred between April 4 and April 19, 2022, when prior large-scale Emotet campaigns were halted.
Researchers from Proofpoint discovered numerous distinguishing characteristics in the campaign, including the usage of OneDrive URLs rather than Emotet's traditional dependence on Microsoft Office attachments or URLs connecting to Office files. Instead of Emotet's previous use of Microsoft Excel or Word documents with VBA or XL4 macros, the campaign employed XLL files, which are a sort of dynamic link library (DLL) file designed to expand the capability of Excel.
Alternatively, these additional TTPs could mean the TA542 is now conducting more targeted and limited-scale attacks in addition to the traditional mass-scale email operations. The lack of macro-enabled Microsoft Excel or Word document attachments is a notable departure from prior Emotet attacks, implying the threat actor is abandoning the tactic to avoid Microsoft's intentions to disable VBA macros by default beginning April 2022.
The development came after the virus writers addressed an issue last week which prevented potential victims from being compromised when they opened weaponized email attachments.