Threat Report: Emotet Returns With a Strong Sense of Déjà Vu

Analysis of 12 recent samples of Emotet 2021 variants

The Emotet trojan is back! The banking trojan first discovered in 2014 has evolved and is enabling other malware groups to effectively attack victims. Recent Emotet attacks have employed Microsoft Word and Excel documents. How often do you receive Microsoft Word and Excel documents? A total of 12 publicly available samples related to recent Emotet attacks were regression tested against BluVector’s patented Machine Learning Engine (MLE), and all were detected.

What Is It?

Multiple reports in recent weeks have detailed the reemergence of the Emotet trojan, after a multi-national law enforcement operation in January 2021 effectively shut down Emotet operations.

First discovered as a banking trojan by researchers from Trend in June 2014, Emotet has continuously evolved since that time. Emotet operators have found the greatest success by utilizing Emotet to provide access and downloader services to other malware groups. The most well known of these collaborations is the attack chain that begins with Emotet, which facilitates installation of Trickbot malware, which in turn results in the installation and execution of Ryuk ransomware (the predecessor to Conti ransomware). Emotet became so successful that in the announcement of its shutdown in January 2021, Europol described it as the “world’s most dangerous malware”. In their shutdown announcement, the U.S. Department of Justice noted there were more than 1.6 million infected systems globally, with over 45,000 of those located in the U.S.

For such a prolific and notorious threat, Emotet has utilized a fairly basic attack chain, which has remained largely unchanged over time. The current Emotet reemergence continues this trend. The Emotet attack chain begins with a spam email which has a Microsoft Word or Excel document attached. This document contains a malicious macro, which if the user can be socially engineered into allowing to run, will result in the downloading and execution of the Emotet malware. The operators have continued to rely on this attack chain for one simple reason, it continues to work for them – not only in terms of overall numbers of victims, but the specific target profile of victims sought by the other malware groups that utilize their services.

The recent Emotet attacks have utilized both Microsoft Word and Excel documents. When opened by the user, as expected, they both present messages to the user instructing them to enable editing and/or enable content, as this is necessary to allow the embedded malicious macros to execute. As can be seen in the following screenshots, the Excel document message even contains a typo, referring to EXCELL with two L’s.

Figure 1: Messages presented to users when opening the Microsoft Word and Excel documents.

Figure 1: Messages presented to users when opening the Microsoft Word and Excel documents.
Figure 1: Messages presented to users when opening the Microsoft Word and Excel documents.

In the samples analyzed for this Threat Report, the macros in the Word and Excel documents were identical. The macro itself is fairly straightforward, and uses minimal obfuscation. It contains a Powershell command string, which is obfuscated by being liberally interspersed with the string “Cew”.

Figure 2: Malicious macro contained in Office documents
Figure 2: Malicious macro contained in Office documents

When extracted, deobfuscated and formatted for better readability, the Powershell script looks like the following:

Figure 3: Deobfuscated Powershell Emotet 2021 variants downloader script
Figure 3: Deobfuscated Powershell Emotet downloader script

The purpose of the Powershell script it is to attempt to download and execute the Emotet malware itself, from one of seven URL’s hardcoded into the script.

The reemergence of Emotet is not surprising, in fact it could have been considered almost inevitable. It has been reported the Ryuk/Conti ransomware group was the driving force behind this return, as clearly their bottom line was taking a hit due the lack of a reliable provider of initial access and downloader services. However, it is concerning that Emotet has returned with the same attack chain, which is neither novel or sophisticated. This is of concern as clearly in many organizations, their employees are still being taken in by basic social engineering and their detection infrastructure is still relatively easily evaded. Emotet operators are taking an if-it-ain’t-broke-don’t-fix-approach, as it would appear from their point view, so far it ain’t broke.

How Does It Propagate?

The malware does not contain the necessary code to self propagate. Emotet attacks begin with spam emails which have Microsoft Word or Excel documents attached, containing malicious macros.

When/How Did BluVector Detect New Emotet Variants?

A total of 12 publicly available samples related to recent Emotet attacks were regression tested against BluVector’s patented Machine Learning Engine (MLE), and all were detected. The three DOCX samples would have been detected 53 months prior to their release, the two XLSX samples would have been detected 45 months prior and the eight Emotet malware DLL samples would have be detected for 71 months prior.

Team member
Threat Team
BluVector’s Threat Report is written by BluVector’s expert security team, tasked with identifying the latest cybersecurity threats in the wild and when our solutions would protect customers from those threats.

All Threat Reports