Emotet is both a threat actor and a malware loader. Last year in January, the gang was dismantled and the cyber world breathed relief. However, it had a massive resurgence and its attacks have become more intense. The CISA stated that Emotet is one of the most destructive and expensive malware.
A brief history
Emotet emerged as a banking trojan in 2014 and was used for credential theft.
However, multiple evolutions and DLL modules have turned it into a botnet capable of deploying other malware, such as IcedID or TrickBot. Due to this capability, Emotet is often considered infrastructure-as-a-service.
Since its resurgence, Emotet consists of around 13,000 bots that can spread the malware by spamming targets and perform lateral movement.
By March 2022, the number of Emotet infections doubled from that of the previous month.
Diving into details
Check Point published its Global Threat Index for April, which revealed the following statistics on Emotet.
It is one of the most prevalent malware, affecting around 6% of organizations across the globe, followed by FormBook (3%) and Agent Tesla (2%).
The percentage of impacted organizations reached 10% in March due to Easter-related scams.
Nevertheless, the numbers decreased in April, which might be due to Microsoft’s decision to disable macros by default.
Another report by Kaspersky stated that Emotet infections increased 10x from February to March, going from 3,000 emails to 30,000.
What’s new?
The botnet operators were discovered testing new attack tactics after Microsoft disabled VBA macros. In its new delivery method, it leveraged phishing emails containing a OneDrive link.
Emotet operators have, furthermore, started using 64-bit loaders and modules on Epoch 4. Epochs are botnet subgroups that handle separate infrastructures.
The bottom line
Attackers such as Emotet take advantage of an organization’s poor or insufficient cyber hygiene to gain easy entry to systems. Forescout’s report recommends implementing anti-phishing training, disabling macros, and monitoring the use of regsvr32 on endpoints to stay safe from Emotet infections. As Emotet has emerged to be the most dangerous threat in the cyber landscape currently, it is necessary to deploy threat hunting and network detection tools to prevent infection.