4 Tactics to Detect & Contain Emotet’s Latest Evolution 

Emotet’s latest evolution is bypassing old detection techniques.  

In Mid-April, the Emotet botnet significantly increased its volume of malicious emails. Binary Defense Threat Hunters have observed Emotet payloads slipping through email filters and executing on workstations in US-based companies’ networks. The threat group behind Emotet changed delivery tactics for the malware, as well as the malware payload. These changes have increased the chance that Emotet will slip past email security screening filters and static anti-virus tools. When compared to the previous 32-bit versions of the Emotet payload, the updated 64-bit version is being detected at a significantly lower rate by anti-virus platforms.  

Binary Defense is recommending the following practical steps that enterprise security teams can take to reduce the chances of Emotet causing an incident in their IT environments.  

• Block or quarantine email attachments of file types that are not required for business operations 
  • Emotet recently used password-protected ZIP files containing .ISO files (disk images) with malicious .LNK files (Windows shortcuts launching PowerShell) inside 
  • Other unusual ZIP alternative file formats have been used in the past, including .ARJ, .BZ2, and many others 
  • Threat actors prefer these obscure file types because they often evade detection by anti-virus solutions and automated malware execution sandboxes  
• Block all the archive file types not needed for business operations  
  • Take the time to find out all the archive file types that are supported by any archive utility software allowed on your workstations (7-Zip, WinRAR, WinZip) 
• Block or flag all .XLL files
  • Another tactic used by Emotet and other malware delivery threats recently is packaging malware in .XLL files. This Excel extension can execute arbitrary program code when Excel loads them 
• Stay vigilant on Emotet’s evolution 
  • Sometimes, the very trick that the threat actors use in hopes of flying under the radar is what makes them easily detected by security analysts who know what to look for.  
  • For example, previously, Emotet was delivered by Excel launching the built-in Windows tool regsvr32.exe to run an .OCX file. This would be highly unusual to see in the normal course of operations for Excel, and if security analysts have EDR tools to observe process start events and know to look for this pattern, it is easy to identify and respond to contain the threat.   

The threat group behind Emotet is constantly evolving and experimenting with new ways to deliver malware to more workstations. Prior to its disruption by law enforcement in January 2021, Emotet was the most prevalent, most successful botnet malware in the world. It is likely to continue to be one of the most common malwares to infect endpoints at businesses around the world. Often times, Emotet will drop Cobalt Strike to enable further compromise of networks, or prepare the way for the deployment of ransomware. Emotet is distributing by malicious attachments in phishing emails, so the best defense is to train employees to spot and report phishing emails and to never enable macros on Microsoft Office documents unless they are certain that there is a business need. 

By staying up to date with the latest techniques and taking steps to prevent and detect the threat, you and your partners in security can reduce the risk of impact to your organization. To help stay up to date with the latest threat intelligence, subscribe to our daily Threat Watch. The experts on our Threat Hunting team analyze the latest cybersecurity news and offer insights that you can leverage to protect your business.