A new report today from artificial intelligence cybersecurity platform company Deep Instinct Ltd. details a rapid rise in Emotet malware this year, with new versions and campaigns emerging.

Once described as “the world’s most dangerous malware,” Emotet has continued to reemerge since its debut in 2014 despite efforts to stop it. Emotet operates both as malware and as a botnet with a history ranging from being used to target bank accounts to later campaigns that involve the installation of ransomware.

Emotet ran wild with a Microsoft Office phishing campaign in 2020 that was focused on installing additional malware for spamming, general credential stealing, email harvesting and spreading on local networks. That campaign prompted a warning from the Cybersecurity and Infrastructure Security Agency in October 2020, warning that state and local governments need to fortify their systems against Emotet attacks.

The European Union Agency for Law Enforcement Cooperation, better known as Europol, claimed in January 2021 to have taken Emotet down, but by November, Emotet had returned.

After Emotet reemerged in the last quarter of 2021, several massive new malicious spam campaigns have been observed since March.

Emotet detections spiked upwards of 27-fold in the first quarter of 2022 compared to the last quarter of 2021. In March 2022, many of the attacks have targeted victims in Japan, but as of April and May 2022, Italy and the U.S. have also been targeted.

The newer versions of Emotet are deploying a range of new attack vectors. The researchers observed an almost 900% increase in the use of Microsoft Excel macros compared with the fourth quarter of 2021. The attacks targeting Japanese victims used hijacked email threads and then used those accounts as a launch point to trick victims into enabling macros of attached malicious office documents.

Another observation of the “new and improved” Emotet is its effectiveness in collecting and using stolen credentials. Those credentials, in turn, are weaponized to distribute the Emotet binaries further.

Key findings in the research include 9% of threats linked to Emotet being unknown and never-before-seen. Some 14% of the email malware has bypassed at least one email gateway security scanner before it was captured. And 45% of the malware detected were utilizing some type of office attachment.

The most common attachments used to deliver the malware were spreadsheets at 33%, executables and scripts at 29%, archives at 22% and documents at 11%.

Emotet now uses 64-bit shell code and more advanced PowerShell and active scripts. Almost 20% of all malicious samples exploited a 2017 Microsoft vulnerability named CVE-2017-11882.

Dark Instinct’s observations come as other reports also indicate new Emotet campaigns. Bleeping Computer reported June 8 on an Emotet campaign attempting to infect potential victims with a credit card stealer module to harvest credit card information stored in Google Chrome user profiles.

The Health Sector Cybersecurity Coordination Center has also issued a warning that Emotet variants are targeting the healthcare industry.

Image: Malwarebytes