The threat actor behind the prolific Emotet botnet is testing new attack methods on a small scale before co-opting them into their larger volume malspam campaigns, potentially in response to Microsoft’s move to disable Visual Basic for Applications (VBA) macros by default across its products.
Calling the new activity an “abnormal behavior”, ProofPoint alternatively raised the possibility the latest set phishing email distributing malware shows that operators have been “engaged with more selective attacks and limited campaigns in parallel to large-scale mass mailing campaigns. “
Emotet, the handiwork of a cybercrime group tracked as TA542 (aka Mummy Spider or Gold Crestwood), staged a revival of sorts late last year after a 10-month-long hiatus following a coordinated law enforcement operation to take down its attack infrastructure.
Since then, Emotet campaigns have targeted thousands of customers with tens of thousands of messages in several geographic regions, with the message volume surpassing over one million per campaign in select cases.
The new low volume email campaign was analyzed by an enterprise security company. It used salary-themed lures, OneDrive URLs that hosted ZIP archives that contained Microsoft Excel Addin (XLL), files which when run, drop the Emotet payload.
The new set of social engineering attacks is said to have taken place between April 4, 2022, and April 19, 2022, when other widespread Emotet campaigns were put on hold.
The absence of macro-enabled Microsoft Excel or Word document attachments is a significant shift from previously observed Emotet attacks, suggesting that the threat actor is pivoting away from the technique as a way to get around Microsoft’s plans to block VBA macros by default starting April 2022.
The development comes as malware authors fixed a issue that could have prevented victims getting compromised by opening weaponized email attachments.
“After months of consistent activity, Emotet is switching things up,” Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, said.
“It’s likely that the threat actor tests new behavior on a smaller scale, before sending them to more victims or via new TTPs. This is in addition to its high-volume campaigns. Organizations should be aware of the new techniques and ensure they are implementing defenses accordingly. “