Late in 2021, Emotet returned after an almost 10-month hiatus and is currently being spread again in large malicious spam campaigns.
The malware operation behind Emotet was disrupted in January 2021 by law enforcement, leading to a dramatic reduction in activity. However, this lull has proven temporary, with Emotet’s return demonstrating the resilience of botnets and their operators.
The malware’s resurgence raises questions about what has changed in the new binaries being distributed, which HP Wolf Security explored in this article, which includes step-by-step analysis with a variety of visuals.
In November, HP Sure Click Enterprise – part of HP Wolf Security – isolated a large Emotet campaign against an organization. A user had opened an Excel email attachment containing a malicious macro. The macro spawned cmd.exe, which attempted to download and run an Emotet payload from a web server.
Since malware delivered over email is extremely common, HP Sure Click automatically treats files delivered via email as untrusted. When the user opened the attachment, HP Sure Click isolated file in a micro-virtual machine (micro-VM), thereby preventing the host from being infected.
HP Wolf’s analysis shows that Emotet has changed during its almost 10-month break.
As well as the use of an updated cryptography library, there have been small changes in memory allocation and in the functional structure of parts of Emotet’s code.
However, large parts of the malware remain the same, indicating that its existing features are still good enough to compromise systems.
To support the security community with further analysis of Emotet, HP Wolf shared the IDA database and Python script used in the article.
The analysis also covers code differences and similarities between this and older versions of Emotet, and a Python script HP Wolf developed to resolve Windows API functions.
Patrick Schläpfer, HP Wolf Security