The Whale surfaces again: Emotet Epoch4 Spam-Botnet returns

The prolific Emotet Spam-Botnet, more specifically the Epoch4 (E4) Cluster, has made a comeback after about three months of inactivity. In this news, we want to inform about the current spam campaign and the threat it poses to businesses around the world.

Emotet, which was initially conceived to target Online-Banking information in 2014, evolved into a comprehensive platform for Threat Actors over time. It features Information theft, running Malspam-Campaigns and delivers later-stage malware and thereby enables large scale intrusions. The Infrastructure behind Emotet frequently changes, as seen after the attempted takedown coordinated by Europol in 2021, which resulted in a 10 month gap in the spread of Emotet. After this break the Threat Actors, who took over the Botnets, bounced back and created the second significant peak in Emotet activity.

Current Malspam Campaign

The new Emotet E4 Campaign kicked off at around 12 AM UTC on the 7th of March 2023 (as observed by the Cryptolaemus Group, which specializes in tracking Emotet activity) and features a distinct Modus Operandi across the observed Malspam E-Mails.

The Threat Actors behind Emotet adopted a technique currently employed by many other Crimeware Actors: inflating malicious files with Null Bytes to avoid being scanned by Anti-Virus or EDR Solutions, which generally avoid large files due to the performance impact. To hide the size of the file from the user, malicious document lures are delivered as Archive files (e.g. zip). Once unzipped the analyzed Emotet samples weigh in at over 500 MBs, as can be seen in Figure 1.


Figure 1: Related Malware samples; left: first stage, right: second stage


To better visualize the artificial inflation of the samples we created a graphical representation of the files in Figure 2, with dark blue showing Null-Bytes (essentially empty space that compresses very well).

Figure 2: Visualization of the inflated samples


The malicious Word documents currently sent via Emotet Spam are referred to as the “Red Dawn” Template (Figure 3) by the Cryptolaemus Group. The lure tries to convince the user that the document is encrypted/protected and for it to be viewed, one would have to enable the Macro Code contained in the document. By clicking the “Enable Content” button in the upper left corner the AutoOpen() routine of the Macro code will be activated and the next stage of the Malware will be downloaded and executed in the background.

Figure 3: Word Template “Red Dawn” used by Emotet


In an effort to let the document appear more legitimate than it actually is, it contains a hidden block of text, which can be seen in the screenshot of our Hex-Editor in Figure 4. The text is a section of “Moby Dick” by Herman Melville, which also inspired the title of our blog post you are reading right now.

Figure 4: Excerpt from “Moby Dick” contained in the Word file


The Macro Code used in Emotet Maldocs (Figure 5) is heavily obfuscated and changes from sample to sample, which makes detecting these samples consistently more difficult. This technique is commonly known as “Hashbusting” and can only be observed in a handful of other sophisticated Crimeware strains.

Figure 5: Macros contained in the Word file, highly obfuscated


The mentioned second-stage payload in Figure 6 shows some metadata of the DLL. Again, this payload is heavily obfuscated and consists of multiple modules. The timestamp shows the Hashbusting technique at work again, at the time of writing this payload was compiled very recently.

Figure 6: Information on the second stage DLL



It remains to be seen if Emotet returns back to its old strength, but we estimate that the E5 Botnet Cluster will also join the Spam-Fest. Down the road, there is a highly likelihood of a swift shift in techniques. Given the fact that Microsoft globally disabled Macros a while ago, utilization of other templates, encrypted archives and documents or even OneNote Notebooks would be options. That said, let’s do not give the attack group too many ideas.

In any case, for businesses a high priority will remain to closely monitor E-Mail traffic, use state of the art security software like EDRs and lower the attack surface while blocking Office Macros or native executables.


Indicators of Compromise

b2bb80310dca2ee1127f4723ca27cf6a59f0243760e139f6f108cdb692b795f7 PO.doc

efcf59f4423df8fdacbfa8c3d23b6a3e4722bab65c31ea8a7f32daadddfa7adc VdaN1GI2TTwnq1xfcuZGiVPNHHbdxkEOc.dll



Do you need help regarding this threat? We are happy to support you with our managed and co-managed detection and response services! Contact our experts online or via phone:  +49 30 5557021 11


SECUINFRA Falcon Team · Author

Digital Forensics & Incident Response Experten

Neben den Tätigkeiten, die im Rahmen von Kundenaufträgen zu verantworten sind, kümmert sich das Falcon Team um den Betrieb, die Weiterentwicklung und die Forschung zu diversen Projekten und Themen im DF/IR Bereich.

Das SECUINFRA Falcon Team ist auf die Bereiche Digital Forensics (DF) und Incident Response (IR) spezialisiert. Hierzu zählen die klassische Host-Based Forensik, aber auch Themen wie Malware Analysis oder Compromise Assessment gehören zu diesem Aufgabengebiet. Neben den Tätigkeiten, die im Rahmen von Kundenaufträgen zu verantworten sind, kümmert sich das Falcon Team um den Betrieb, die Weiterentwicklung und die Forschung zu diversen Projekten und Themen im DF/IR Bereich.  Dazu zählen beispielsweise Threat Intelligence oder die Erstellung von Erkennungsregeln auf Basis von Yara.

Digital Forensics & Incident Response experts

In addition to the activities that are the responsibility of customer orders, the Falcon team takes care of the operation, further development and research of various projects and topics in the DF/IR area.

The SECUINFRA Falcon Team is specialized in the areas of Digital Forensics (DF) and Incident Response (IR). This includes classic host-based forensics, but also topics such as malware analysis or compromise assessment. In addition to the activities for which we are responsible within the scope of customer orders, the Falcon team is also responsible for the operation, further development and research of various projects and topics in the DF/IR area. These include, for example, threat intelligence or the creation of detection rules based on Yara.
Beitrag teilen auf: