Malware, Breach, Threat Management, Email security

Updated Emotet banking trojan more effective, proliferates through Excel macros

An update of the Emotet banking trojan is seeing a resurgence through Microsoft Excel macros via email, according to security researchers. (Photo by Sean Gallup/Getty Images)

When it comes to malware, everything old is frequently new again. This is the case with Emotet, a banking trojan that first surfaced eight years ago, and has emerged again — bigger, badder and trickier than before.

In its new iteration, Emotet is able to access and use spreadsheets, documents and other Microsoft programs, bypassing entry security. When it first reared its ugly head, Emotet emerged as a dangerous banking malware that can strip customer data. First employed by a joint international group in January 2014, botnet operators running Emotet are using a relatively new module that steals payment card information from Google Chrome, according to reports.

Indeed, this new Emotet malware has led to a nine-fold increase in the use of Microsoft Excel macros compared with what security experts found in the fourth quarter of 2021. The criminals that utilized this trojan were among the first to offer malware-as-a-service (MaaS). According to security researchers, the current version of Emotet still uses many of the same attack vectors as it had in the past, but this new iteration is seen as being more effective in collecting and using stolen credentials.

In a blog post on the re-emergence of Emotet, Chuck Everette, director of cybersecurity advocacy for Deep Instinct, which has been monitoring Emotet since the fourth quarter of last year, noted that the current malware variant uses many of the same “evasion methods” as previous versions.

“These attacks definitely have similar characteristics that they've had in the past,” he said in the company blog post. “They now, however, have some new and improved techniques and tactics.”

Most recently, it has been targeting customers in Japan, as well as the United States and Italy since this spring. Deep Instinct researchers detected the malware's re-emerging last November, and they noted that this revamped malware was even able to get past email gateway security.

In addition, Emotet is utilizing 64-bit shell code, as well as more advanced PowerShell and active scripts, “with nearly a fifth of all malicious samples exploiting the 2017 Microsoft vulnerability CVE-2017-11882,” according to reports.

"We use internal code and binary similarity algorithms on our cloud backend to associate and correlate new variants of a select set of campaigns which we monitor very closely, Emotet being one of them," he explained. In particular, several static evasion methods are very characteristic of Emotet, and upticks in those in new variant waves are very indicative of Emotet activity, Everette explained in Dark Reading.

“The Emotet Gang are professionals. They know how to run a successful phishing campaign and have now upped their game with new sophisticated attack techniques,” Everette said on his company’s blog on the re-emergence of Emotet. "However, the primary delivery method is still phishing emails, and the human factor is the weakness."

“If you make yourself more difficult to attack than another company, they will go after the easier target," Everette said. "Make sure you're the harder target to penetrate. Educate your employees."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.