Emotet Returns with Updated Modules and New Campaign

The Emotet malware is back after a hiatus of a couple of months, according to new research. The malware is now using updated payloads the operators implemented to avoid detection.

Emotet operators seem to attack in waves, with periods of inactivity in which developers improve and update the malware. Security researchers discovered that Emotet is now active once more after a two-month break. Emails stemming from the Emotet botnet started flowing once more.

The scope of the malware campaign is vast, with infected emails sent in various languages depending on the country, or using different themes, depending on holidays and other significant events. But the main difference is how the malware tells users to enable macros, an essential step in the infection process.

“The document still contains malicious macro code to install Emotet, and still claims to be a “protected” document that requires users to enable macros in order to open it,” say the Cofense researchers.

“The old version would not give any visible response after macros were enabled, which may make the victim suspicious. The new version creates a dialog box saying that “Word experienced an error trying to open the file.” This gives the user an explanation why they don”t see the expected content, and makes it more likely that they will ignore the entire incident while Emotet runs in the background.”

The malware comes with a few updates of its own. The software comes in the form of a DLL initialized by Windows” rundll32.exe. The communication with the command and control center is also more difficult to detect after the operators switched from plain text to binary.

The new Emotet update makes it clear that the malware is here to stay, and that operators will likely keep it up to date to fool as many people as possible and continue to try to trick security solutions.