TA542, the cyber criminal nexus suspected of operating the Emotet botnet, seems to have used a recent period of downtime to test out some new features that may indicate the group is changing up its tactics, techniques and procedures, and is likely trying to get around a recent Microsoft update that blocks web macros by default, according to intelligence from Proofpoint.
Despite the seizure of Emotet’s servers in January 2021, and the subsequent purge of the malicious botnet by law enforcement, TA542, which also goes by Mummy Spider, resurrected it last November.
Since then, the revitalised botnet has targeted thousands of organisations with tens of thousands of phishing messages in a campaign that peaked during the first and third weeks of March.
However, it has become customary among cyber criminal actors to take breaks around key holiday periods, and right on schedule, this high level of activity briefly dropped off in early April and continued through the Easter holidays.
It was during the Easter lull, Proofpoint said, that its analysts observed atypical behaviour from Emotet, and the firm’s vice-president of threat research and detection, Sherrod DeGrippo, suggested two potential theories as to why this was.
“After months of consistent activity, Emotet is switching things up,” she said. “It is likely the threat actor is testing new behaviours on a small scale before delivering them to victims more broadly, or to distribute via new TTPs alongside its existing high-volume campaigns. Organisations should be aware of the new techniques and ensure they are implementing defences accordingly.”
The activity took the form of a low volume of spam emails distributing Emotet from compromised email addresses and not the Emotet spam module. These emails had simple subject lines, usually one word, and the body text contained nothing more than a OneDrive URL. This URL in turn hosted a zip file – marked with the same lure as the email subject – containing a Microsoft Excel Add-In (XLL) file (or files) which when executed, dropped and ran Emotet via the Epoch 4 botnet.
This differs from previously-seen Emotet TTPs due to its low volume nature – Emotet has more typically used high volume email campaigns; the use of OneDrive – more typically it arrives via a Microsoft Office attachment or a URL linking to a compromised site containing a tainted Office file; and the use of XLL files – previously Emotet has relied on Microsoft Excel or Word documents containing VBA or XL4 macros.
Proofpoint’s analysts said it was notable that TA542 is exploring techniques that do not rely on macro-enabled documents. This is likely because in February 2022 Microsoft announced that it would begin blocking Visual Basic for Applications (VBA) macros obtained from the public internet by default across five of its most used Office apps from April, in an attempt to improve security for end-users.
Proofpoint said that typically, threat actors like TA542 that had relied on macro-enabled attachments to deliver their malware depend on social engineering to convince a recipient that their content can be trusted and that they should enable macros to view it. Blocking macros by default makes this much harder for them because it makes it much harder for users to simply click on something to open it.
Microsoft’s changes apply to installations of Office running on Windows machines, and is being applied to Access, Excel, PowerPoint, Visio and Word from Version 2203 onwards through Current Channel Preview, ahead of a wider roll-out.
The analysts said they still believed the activity could be safely attributed to TA542 as it has closely controlled Emotet throughout its life, and has shied away from renting its capabilities to other groups.
More information on the campaign, including indicators of compromise (IoCs), is available from Proofpoint.