The Whale surfaces again: Emotet Epoch4 Spam-Botnet returns

The prolific Emotet Spam-Botnet, more specifically the Epoch4 (E4) Cluster, has made a comeback after about three months of inactivity. In this news, we want to inform about the current spam campaign and the threat it poses to businesses around the world.

Emotet, which was initially conceived to target Online-Banking information in 2014, evolved into a comprehensive platform for Threat Actors over time. It features Information theft, running Malspam-Campaigns and delivers later-stage malware and thereby enables large scale intrusions. The Infrastructure behind Emotet frequently changes, as seen after the attempted takedown coordinated by Europol in 2021, which resulted in a 10 month gap in the spread of Emotet. After this break the Threat Actors, who took over the Botnets, bounced back and created the second significant peak in Emotet activity.

Current Malspam Campaign

The new Emotet E4 Campaign kicked off at around 12 AM UTC on the 7th of March 2023 (as observed by the Cryptolaemus Group, which specializes in tracking Emotet activity) and features a distinct Modus Operandi across the observed Malspam E-Mails.

The Threat Actors behind Emotet adopted a technique currently employed by many other Crimeware Actors: inflating malicious files with Null Bytes to avoid being scanned by Anti-Virus or EDR Solutions, which generally avoid large files due to the performance impact. To hide the size of the file from the user, malicious document lures are delivered as Archive files (e.g. zip). Once unzipped the analyzed Emotet samples weigh in at over 500 MBs, as can be seen in Figure 1.

 

Figure 1: Related Malware samples; left: first stage, right: second stage

 

To better visualize the artificial inflation of the samples we created a graphical representation of the files in Figure 2, with dark blue showing Null-Bytes (essentially empty space that compresses very well).

Figure 2: Visualization of the inflated samples

 

The malicious Word documents currently sent via Emotet Spam are referred to as the “Red Dawn” Template (Figure 3) by the Cryptolaemus Group. The lure tries to convince the user that the document is encrypted/protected and for it to be viewed, one would have to enable the Macro Code contained in the document. By clicking the “Enable Content” button in the upper left corner the AutoOpen() routine of the Macro code will be activated and the next stage of the Malware will be downloaded and executed in the background.

Figure 3: Word Template “Red Dawn” used by Emotet

 

In an effort to let the document appear more legitimate than it actually is, it contains a hidden block of text, which can be seen in the screenshot of our Hex-Editor in Figure 4. The text is a section of “Moby Dick” by Herman Melville, which also inspired the title of our blog post you are reading right now.

Figure 4: Excerpt from “Moby Dick” contained in the Word file

 

The Macro Code used in Emotet Maldocs (Figure 5) is heavily obfuscated and changes from sample to sample, which makes detecting these samples consistently more difficult. This technique is commonly known as “Hashbusting” and can only be observed in a handful of other sophisticated Crimeware strains.

Figure 5: Macros contained in the Word file, highly obfuscated

 

The mentioned second-stage payload in Figure 6 shows some metadata of the DLL. Again, this payload is heavily obfuscated and consists of multiple modules. The timestamp shows the Hashbusting technique at work again, at the time of writing this payload was compiled very recently.

Figure 6: Information on the second stage DLL

 

Outlook

It remains to be seen if Emotet returns back to its old strength, but we estimate that the E5 Botnet Cluster will also join the Spam-Fest. Down the road, there is a highly likelihood of a swift shift in techniques. Given the fact that Microsoft globally disabled Macros a while ago, utilization of other templates, encrypted archives and documents or even OneNote Notebooks would be options. That said, let’s do not give the attack group too many ideas.

In any case, for businesses a high priority will remain to closely monitor E-Mail traffic, use state of the art security software like EDRs and lower the attack surface while blocking Office Macros or native executables.

 

Indicators of Compromise

b2bb80310dca2ee1127f4723ca27cf6a59f0243760e139f6f108cdb692b795f7 PO.doc
53477cf7d42a766819d25df062b62aa39d89beba993262b2bd9251d55fdc59dc PO.zip

b3fd2051fc1b96c495d355db0d334436e1c6d4438cd0beab23a5b1cbca869fd2 PU7syr1XAm.zip
efcf59f4423df8fdacbfa8c3d23b6a3e4722bab65c31ea8a7f32daadddfa7adc VdaN1GI2TTwnq1xfcuZGiVPNHHbdxkEOc.dll

 

Do you need help regarding this threat? We are happy to support you with our managed and co-managed detection and response services! Contact our experts online or via phone:  +49 30 5557021 11

Share post on:

XING
Twitter
LinkedIn

SECUINFRA Falcon Team • Autor

Digital Forensics & Incident Response experts

In addition to the activities that are the responsibility of customer orders, the Falcon team takes care of the operation, further development and research of various projects and topics in the DF/IR area.

> all articles
Cookie Consent with Real Cookie Banner