New detection bypass methods accompany Emotet revival

Novel detection evasion techniques have been employed by the Emotet malware-as-a-service operation, which has been attributed to the TA542 cybercrime group, also known as Mummy Spider or Crestwood, in its resurgence following being taken down in early 2021, according to The Hacker News. Emotet had its module arsenal updated to include an SMB spreader enabling lateral movement, as well as a Chrome-targeting credit card stealer, a BlackBerry report revealed. Aside from adopting XLS files for dropper downloads, new Emotet variants' 64-bit nature has also aided in bypassing detection. Such changes have enabled Emotet to evade Mark of the Web protections and allow the execution of document-embedded malicious macros, said the report. "With its steady evolution over the last eight-plus years, Emotet has continued to become more sophisticated in terms of evasion tactics; has added additional modules in an effort to further propagate itself, and is now spreading malware via phishing campaigns," said BlackBerry.