According to new research by VMware, threat actors behind the notorious Emotet malware strain have continued to shift and evolve their tactics and command-and-control (C2) infrastructure to evade detection.

Emotet’s infrastructure was taken down as part of a coordinated law enforcement operation in January 2021, however, the malware’s resurrection in November 2021 gained significant traction across the cyber threat landscape, paving the way for Cobalt Strike infections and, more recently, ransomware attacks involving Quantum and BlackCat.

The research suggests that Emotet is continuously changing to make it more difficult for defenders to adapt and block the malware.

The Emotet threat actors typically distribute phishing emails and specially crafted messages to convince victims to click on malicious links or open malicious documents using a range of differing filetypes.

In January 2022 alone, VMware observed three different sets of attacks in which the Emotet payload was delivered via an Excel 4.0 (XL4) macro, an XL4 macro with PowerShell, and a Visual Basic Application (VBA) macro with PowerShell.

Since then, the NMC have reported on a range of techniques that avoid the use of macros since Microsoft blocked them by default.

Several of the attack chains identified were also observed abusing legitimate executables, also known as living-off-the-land binaries, a popular technique used to prevent detection.

The threat actors also use significant anti-analysis countermeasures to attempt to hide the details of their C2 infrastructure.

The ongoing adaptation of Emotet's attack chain is a major contribution to the reason the malware has been successful for so long.

As Emotet is primarily leveraged through phishing emails, user awareness of this prevalent threat is essential to help mitigate risk of exploitation and therefore prevent a ransomware intrusion.

Organisations are encouraged to provide guidance through internal channels; further guidance on phishing can be found here.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).