Dive Brief:
- The threat actor behind Emotet, a pervasive botnet once designated the most destructive malware of the last decade, has regrouped with alarming speed and efficacy, according to a report released Wednesday by HP Wolf Security.
- The cybersecurity software and services firm detected a 2,823% increase in Emotet malicious spam campaigns between the fourth quarter of 2021 and the first quarter of 2022, making it the most common malware family in circulation.
- An international coalition of law enforcement agencies disrupted Emotet in January 2021, but it has since, as feared, reconstituted itself as a major threat.
Dive Insight:
The relatively quick recovery of Emotet, following an international crackdown, emphasizes the threat actor’s ability to change tactics and targets as common vendors attempt to outmaneuver its previously preferred point of attack, Microsoft Office.
“These rapid shifts indicate that attackers have a large arsenal of tactics and techniques they can draw upon to attack companies,” Patrick Schläpfer, malware analyst at HP, wrote in an email. “Generally, these are foreseeable reactions by threat actors to increasingly well-protected companies.”
Microsoft last month began blocking macros obtained from the internet by default, however many individuals still have macros enabled and can be tricked into clicking on the wrong thing, Alex Holland, senior malware analyst at HP Wolf Security, wrote in the report. Macros allow users to group multiple frequently used commands into an automated task.
Emotet represented 9% of all malware identified by HP Wolf Security during Q1. The group continued to embed malware in Microsoft Office macros by mostly targeting Japanese organizations with malicious Excel spreadsheets using email thread hijacking.
While email remains the most common vector overall for malware distribution, representing 69% of threats, HP Wolf Security detected different file types distributing malware. There was a quarterly increase of 476% in Java archive files and a 42% increase in JavaScript files.
HP didn’t detect any change in Emotet’s tactics during Q1, but more recently noticed a change in the delivery mechanism. The group temporarily switched from Office documents to link files in late April, Schläpfer said. “Emotet has repeatedly changed tactics over the last quarter, and this could be for a variety of reasons.”
Indeed, Netskope earlier this week said the number of malicious Office documents it blocked through its platform has returned to pre-Emotet levels. “They’re not going away just because Office files have become harder to weaponize,” said Ray Canzanese, threat research director at Netskope Threat Labs. “We have observed a few hundred different variants of malicious link files being spread by Emotet so far.”
HP Wolf Security said it detected threats using 545 different malware families during Q1, with Emotet, AgentTesla and Nemucod as the top three.