"Emotet Is Back and Delivers Payloads Like IcedID and Bumblebee"

Proofpoint researchers have warned of the return of the Emotet malware, observing a high-volume malspam campaign delivering payloads such as IcedID and Bumblebee in early November. The Emotet banking Trojan has been around since at least 2014, and the botnet is run by a threat actor known as TA542. The banking Trojan was also used to spread other malicious code, such as the Trickbot and QBot Trojans, as well as ransomware, including Conti, ProLock, Ryuk, and Egregor. In response to Microsoft's decision to disable Visual Basic for Applications (VBA) macros by default, operators of the Emotet botnet began testing new attack techniques in April. Proofpoint researchers discovered a new variant of the Emotet bot in June that employs a new module to steal credit card information stored in the Chrome web browser. To stay under the radar, Emotet operators have improved their attack chain over time by employing multiple attack vectors. Between July and November 2022, the Emotet operators were inactive. Threat actors have been observed distributing hundreds of thousands of emails per day, implying that Emotet is resuming its full functionality as a delivery network for major malware families. The experts observed numerous changes to the bot and its payloads, and the operators modified the malware modules, loader, and packer. Proofpoint noticed new Excel attachment visual lures, changes to the Emotet binary, the IcedID loader dropped by Emotet being a light new version of the loader, and reports of Bumblebee being dropped alongside IcedID. The security firm observed a wave of attacks primarily targeting the US, the UK, Japan, Germany, Italy, France, Spain, Mexico, and Brazil. Recent attacks' emails typically included a weaponized Excel attachment or a password-protected ZIP attachment containing an Excel file. The Excel files contain XL4 macros that download the Emotet payload from a set of built-in URLs. The Excel files used in recent campaigns are unique in that they instruct recipients to copy the file to a Microsoft Office Template location and run it from there instead. This location is marked as "trusted," meaning that opening a document in this folder will result in no warnings. This article continues to discuss the reemergence of the Emotet malware. 

Security Affairs reports "Emotet Is Back and Delivers Payloads Like IcedID and Bumblebee"