The Emotet banking trojan is propagated mostly via Microsoft Office email attachments. (Photo by Justin Sullivan/Getty Images)

Researchers reported on Thursday that after being disrupted in early 2021, after a few months of so-called “summer vacation” Emotet re-emerged with nearly daily activity since October of last year.

In a blog post, Deep Instinct researchers said the current wave of Emotet malspam is delivered via “thread hijacking” emails. The attachments come in both password-protected zips as well as plain attachments.  

Emotet started as a banking trojan in 2014 and was spread via spam campaigns, imitating financial statements, transfers, and payment invoices. The researchers said Emotet gets propagated mostly via Microsoft Office email attachments containing a macro. If enabled, it downloads a malicious PE file (Emotet) which then gets executed.

“Security pros should read this research as confirmation that even if they don't see a prevalence of infections from a specific group, it does not mean they are not maintaining a presence or monitoring devices that are still infected, “ said Matthew Fulmer, manager of cyber intelligence engineering at Deep Instinct. “Bad actors don't just go away. They might go dark when there’s too much attention being placed on them, but in many cases they don't just disappear.”

Fulmer explained that a couple examples are how Emotet countlessly reemerges after "disappearing" for a period of time, or how Darkside went dark after the Colonial Pipeline attack just to reemerge as a newly named group with the same attack methodology and payloads. Fulmer said this also emphasizes the danger infected machines pose and how crucial it is to ensure there’s nothing malicious remaining on the machine.

“When Emotet came back to action, the first order was to push out updated malware to currently infected machines which I guarantee environments assumed were clean, but had some level of persistence allowing the group to instantly access them upon return, Fulmer said. “Security teams need to be more proactive and leverage all items at their disposal. This means shifting from a stance of detection toward prevention-first offerings and changing the mindset to adopt an assume-breach mentality.”

Here’s another example of a group evolving its strategy to avoid detection engines, said Andrew Barratt, vice president at Coalfire. Barratt said Proofpoint also had an interesting post on the return of Emotet earlier this week. Barratt said he suspected the time “off grid” was to avoid the detection fatigue level they were probably getting.

“High amounts of detection isn't good for an initial access broker — they need infiltration to be possible and then they can sell for a healthy price,” Barratt said. “This could be new management or just a better monetization strategy. It may also be in part a de-risking strategy as initial access brokers don't often trigger the alarm bells. It's the cyber criminals that are delivering the final blow via ransomware/extortion or mass data theft that law enforcement then go after.”

Mike Parkin, senior technical engineer at Vulcan Cyber, said while we’d all hope that a threat group dropping out of sight is a permanent thing, it’s not surprising that they came back. Parkin said there are multiple reasons an APT group might drop out of sight for a while.

“Anything from law enforcement pressure to internal tensions, to taking time to develop new tools and researching new attack techniques, to everyone taking a holiday at the coast, could make it appear they went dark,” Parkin said. “It’s entirely possible they’ve had a change of leadership. While the public doesn’t have much visibility into how these APT groups work, it’s a safe bet that they’re not operating in the most stable business environments. Changes in personnel, management, should be expected.”