Researchers from Blackberry recently published a blog post documenting changes in the Emotet trojan. On the attack side, it now includes an SMB spreader for lateral movement and a module for scraping Google Chrome for credit card information. Additionally, the malware has been seen dropping both IcedID, a banking trojan, and Bumblebee, an upgrade from BazarLoader (a malware loader). For evasion, Emotet now features an injection technique called Heaven’s Gate, which allows it to inject into 64-bit processes. Phishing emails with the dropper payload have also been seen attempting to convince victims to copy the .xls file into the default Templates folder. Documents in this folder are inherently trusted by Windows, and therefore macros will be automatically run on open.
Keeping Endpoint Detection and Response (EDR) systems up-to-date and properly tuned can help companies identify process injection attacks. To help prevent the macro bypass, companies should limit write access to the default Templates directories for Microsoft Office. The SMB spreader can be detected by collecting a baseline of standard SMB netflow traffic and alerting against deviations from that, though this requires a well-staffed security team.