Threat Watch

Emotet Botnet Switches to 64-bit Modules, Increases Activity

The Emotet malware has recently increased its malicious email distribution and is likely to soon switch to new 64-bit payloads that are currently detected by fewer antivirus engines. Security researchers monitoring the botnet are observing that emails carrying malicious payloads last month have increased tenfold. Emotet is a self-propagating modular trojan that can maintain persistence on the host. It is used for stealing user data, performing network reconnaissance, moving laterally, or dropping additional payloads such as Cobalt Strike and ransomware in particular. It has been spotted growing slowly but steadily since the beginning of the year, but its operators may be shifting up a gear now. As for the themes, Emotet distributors are known for changing the topics regularly to take advantage of seasonal interest swifts. This time it’s the Easter celebration they’re taking advantage of.  The Cryptolaemus security research group, who is keeping a sharp eye on Emotet botnet activity, said that the malware operators have also switched to 64-bit loaders and stealer modules on Epoch 4, one of subgroups of the botnet that run on separate infrastructure. Previously, it relied on 32-bit code. The switch is not visible on Epoch 5 but the delay is expected, since Epoch 4 typically serves as a development test-bed for the Emotet operators, researchers from Cryptolaemus say.

ANALYST NOTES

Prior to its disruption by law enforcement in January 2021, Emotet was the most prevalent, most successful botnet malware in the world. It is likely to continue to be one of the most common malwares to infect endpoints at businesses around the world. Often times, Emotet will drop Cobalt Strike to enable further compromise of networks, or prepare the way for the deployment of ransomware. Emotet is distributing by malicious attachments in phishing emails, so the best defense is to train employees to spot and report phishing emails and to never enable macros on Microsoft Office documents unless they are absolutely certain that there is a business need.

https://www.bleepingcomputer.com/news/security/emotet-botnet-switches-to-64-bit-modules-increases-activity/