The Emotet trojan has seen a spike in activity in the last month, with a campaign that once again showcases its ability to evolve quickly: It’s now employing a different delivery mechanism than has previously been seen, in what appears to be an effective tactic for evasion.
Emotet, which has become a bit of a chameleon in the malware world thanks to its penchant for constantly adding new functionality, is now being delivered via embedded macros inside XML files disguised as Word documents, according to Menlo Security.
“In the past, we have seen Emotet being delivered through regular macro-infested Word documents, but this technique of disguising an XML document as a Word document seems to be a recent change in the delivery technique,” the company said in a Wednesday blog post. “With such constant changes in tactics from the Emotet threat actors, we foresee that this campaign will continue to evolve and become more sophisticated.”
Krishnan Subramanian, security research engineer at Menlo Labs, told Threatpost that on average, Menlo has seen up to 15 different customers per day being targeted across its customer base, every day since mid-January. The healthcare vertical was the most targeted.
In addition to hospitals, doctors’ offices and the like (representing 32.5 percent of the attacks), consumer products companies are in the crosshairs (22.5 percent of attacks) and insurance (17.5 of attacks).
In the set of documents it analyzed, Menlo observed that 80 percent were disguised as Word documents with a .doc extension, but they were actually XML files.
“Typically, detection technology identifies the file based on ‘True File Type’ capabilities, which will return this as an XML file; with no means to open such a file type, it will be allowed to the end user,” Subramanian told Threatpost. “Once the end user receives the file, Word will open and the attack will progress.”
This is a technique used to evade sandboxes, which typically use the true file type of an attachment and not the file’s extension to identify the application they need to run in inside the sandbox.
And indeed, in 10 percent of the cases, the document went undetected by traditional antivirus, Menlo said.
The remaining 20 percent of malicious documents observed were standard Word documents with an embedded malicious macro, which is Emotet’s usual M.O.
Emotet, Always on the Move
Emotet has evolved over time from its humble roots as a banking trojan, and is one of the most widespread malwares on the scene today. According to Proofpoint’s latest quarterly report, analyzing trends for the fourth quarter of 2018 based on its telemetry, out of all the trojans that make up 56 percent of all malicious payloads at the end of last year, Emotet comprised 76 percent of them.
According to a US-CERT alert published in 2018, “Emotet continues to be among the most costly and destructive malware affecting state, local, tribal and territorial (SLTT) governments, and the private and public sectors.”
The secret of its success lies in its adaptability, according to BitDam CEO and co-founder Liron Barak.
“Banking trojans such as Emotet keep evolving and we see more of them and their variants bypassing common security solutions,” he told Threatpost. “This trend is not going anywhere. Unfortunately, no matter how many security updates and patches are published, malicious actors will continue to get more sophisticated employing innovative tactics.”
In 2018, the Emotet group added the ability to be a malware delivery service—including to other banking trojans. Last fall, Emotet added a mass email harvesting module; and for Thanksgiving, it switched up its usual financial-themed spam verbiage. Looking to take advantage of a nation preparing for a collective food coma, its spam lure read: “In this season of thankfulness, we are especially grateful to you, who have worked so hard to built the success of our company. Wishing you and your family a Thanksgiving full of blessings.”
It also continues to innovate on the obfuscation and evasion front, as seen in this latest rash of attacks.
“Emotet continues to use novel techniques to bypass existing security detection mechanisms, and this seems to be the reason behind its success,” Subramanian said. “This recent technique of using malicious XML files is an example of the change in tactic.”
There’s little specific information about the authors behind Emotet, though it’s a safe bet that multiple cybercrime groups are using it.
“The Emotet trojan has been around since 2014 and we do believe that the recent success is likely because the original malware has been reused in multiple attacks,” Subramanian explained.