HP Threat Research Blog Emotet’s Return: What’s Different?

December 9, 2021 Category: Threat Research By: Patrick Schläpfer Comments: 0

Emotet’s Return: What’s Different?

On 15 November 2021, Emotet returned after an almost 10-month hiatus and is currently being spread again in large malicious spam campaigns. The malware operation behind Emotet was disrupted in January 2021 by law enforcement, leading to a dramatic reduction in activity. However, this lull has proven temporary, with Emotet’s return demonstrating the resilience of botnets and their operators. The malware’s resurgence raises questions about what has changed in the new binaries being distributed, which we briefly explore in this article.

Campaign Isolated by HP Wolf Security, November 2021

In November, HP Sure Click Enterprise – part of HP Wolf Security – isolated a large Emotet campaign against an organization. Figure 1 shows how a user opened an Excel email attachment containing a malicious macro. The macro spawned cmd.exe, which attempted to download and run an Emotet payload from a web server. Since malware delivered over email is extremely common, HP Sure Click automatically treats files delivered via email as untrusted. When the user opened the attachment, HP Sure Click isolated file in a micro-virtual machine (micro-VM), thereby preventing the host from being infected. HP Sure Click also detected potentially malicious behavior in the micro-VM, so generated and sent an alert to the customer’s security team containing an activity trace describing what happened inside the VM (Figure 2).