Since its inception in 2014, Emotet has continued to evolve steadily, adding several new tactics and techniques to increase its likelihood of successful infection. The latest addition to its arsenal is a new evasion technique to trick users into allowing macros to download the dropper.
New bait by Emotet
As observed by researchers from BlackBerry, Emotet operators are using .xls files in this new wave of phishing attacks.
- When a user downloads a .xls attachment from the phishing email, it prompts them to enable the macros to download the Emotet dropper.
- Since these .xls files are automatically trusted by Microsoft, any file executed from here on is automatically ignored by the Protected View functionality, allowing macros to run without any hindrance.
In addition to this, the new variant of Emotet has now moved from 32-bit to 64-bit as another method for evading detection.
Its previous effective techniques
While Emotet primarily leverages phishing emails to infect its victims, multiple other evasion tactics to drop the malware have been observed recently.
- In October, Trustwave researchers identified an unprecedented rise in password-protected ZIP filesthat delivered the Emotet trojan.
- An update by the VMware Threat Analysis Unit revealed Emotet’s use of spam messages and embedded URLs to avoid detection.
- In September, Emotet used Cobalt Strike beacons that paved way for Quantum and BlackCat ransomware infections.
To stay protected against Emotet, experts recommend using better email security solutions, strong authentication mechanisms, and implementing network segmentation. It is further suggested to apply security patches for all software, firmware, plugins, and OS on a regular basis.