19th-Century Literature Evasion and Evaluating Improvements Re-Emerge Malware Prajeet Nair (@prajeetspeaks) • Mar 14, 2023 Illustrated by Augustus Burnham Shute for the 1892 edition of Herman Melville’s Classics of 19th-Century American Literature Illustration for “Moby Dick”.

Emotet malware is back in action. Security researchers have marked the latest sightings of a Trojan that prefers Microsoft Office going into a cycle of re-emergence and hibernation.

Before the latest wave of malicious Emotet emails began earlier this month, Cofense researchers said the malware had been running for two weeks in November. The latest batch of malicious emails include compressed Office documents with embedded macros and social engineering to trick users into ignoring security warnings Microsoft throws to prevent infection from downloaded files. Contains prompts.

Trend Micro says Emotet has new command and control infrastructure and new evasion techniques. Deep Instinct states that the evasion factor is pasting a portion of the 19th-century American novel “Moby Dick” into the malicious Word document as white text and covertly increasing the word count. “Many security tools classify Word documents containing only images and macros as malicious, and this is almost always the case,” the company said.

Emotet also applies a technique called binary padding or file pumping to make malicious attachments larger than the size limits imposed by antimalware solutions such as sandboxes and scanning engines, Trend Micro said. I am writing. If someone enables malicious macros, Emotet delivers a bloated Windows DLL file that grows from 616 kilobytes to 548.1 megabytes.

Called “one of the most professional and long-lasting cybercrime services” by Europol, Emotet has caused hundreds of millions of dollars in damage. Jason Meurer, a cybersecurity researcher at Cofense, said in an interview with the Information Security Media Group that although it began as a banking Trojan, today it’s main purpose is to be targeted by threat actors reconstructed from the Conti group. It states that it serves as a gateway to the ransomware it deploys.

Multinational law enforcement operations in 2021 disrupted botnets, but it didn’t take long for Emotet to make a comeback.

The threat group, alternately tracked as TA542, Mummy Spider, and Gold Crestwood, was behind “massive” Emotet activity in 2022, likely linked to botnet development, Proofpoint said at the time. Fool its sleeves told the Information Security Media Group).

There is now anecdotal evidence that a new operator took control of Emotet. “He seems to be trying to relearn how to operate, but then he’s also trying some new techniques, like these new big documents they’re doing,” he said. I’m here. .

“There’s been some mergers and acquisitions going on on the back end, and it doesn’t always seem like we can figure out exactly what’s going on, but we have a pretty good idea.”

Emotet’s activity may be diametrically opposed to Qakbot’s, Meurer added, suggesting a link between the two botnets.

With a report from David Perera, ISMG, Washington, DC

