Like the proverbial bad penny that constantly keeps turning up, the Emotet malware operation has resurfaced yet again — this time after a lull of about three months.

Security researchers this week noted that the group is once again posing a threat to organizations everywhere, with malicious email activity associated with Emotet resuming early on March 7. The emails have been arriving in victim inboxes as innocuous-looking replies to existing email conversations and threads, so recipients are more likely to trust their content. Some of the Emotet emails have been landing as new messages as well.

Very Large File & Payload

The emails contain a .zip attachment, which, when opened, delivers a Word document that prompts the user to enable a malicious macro. If enabled, the macro, in turn, downloads a new version of Emotet from an external site and executes it locally on the machine.

Researchers from Cofense and Hornet Security who observed the fresh malicious activity described the Word documents and the malicious payload as inflated in size and coming in at more than 500MB each. Overall, the volume of the activity has remained unchanged since early March 7, and all of the emails have been attachment-based spam, the researchers said.

"The malicious Office documents and the Emotet DLLs we're seeing are very large files," says Jason Muerer, senior research engineer at Cofense. "We have not yet observed any links with the emails."

Hornet Security ascribed the large file and payload sizes as a likely attempt by the group to try and sneak the malware past endpoint detection and response (EDR) tools. "The latest iteration of Emotet uses very large files to bypass security scans that only scan the first bytes of large files or skip large files completely," according to a post by Hornet researchers. "This new instance is currently running at a slow pace, but our Security Lab expects it to pick up."

A Malware That Refuses to Die

Emotet is a malware threat that first surfaced as a banking Trojan in 2014. Over the years, its authors — variously tracked as Mealbug, Mummy Spider, and TA542 — have turned the erstwhile banking Trojan into a sophisticated and lucrative malware delivery vehicle that other threats actors can use to deliver different malicious payloads. These payloads have in recent years included highly prolific ransomware strains, such as Ryuk, Conti, and Trickbot.

The threat actors' preferred mode for delivering Emotet has been via spam emails and phishing, crafted to get users to open attached files or to click on embedded links to malware delivery sites. Once the threat actor compromises a system, Emotet is used to download other malware on it for stealing data, installing ransomware, or for other malicious activities such as stealing financial data. Emotet's command-and-control infrastructure (C2) presently runs on two separate botnets that security vendors have designated as epoch 4 (E4) and epoch 5 (E5)

In early 2021, law enforcement officials from multiple countries disrupted Emotet's infrastructure in a major collaborative effort that has done little to stop the threat actor from continuing its malware-as-a-service. At the time, the US Department of Justice assessed that Emotet's operators had comprised over 1.6 million computers worldwide between April 2020 and January 2021. Victims included organizations in healthcare, government, banking, and academia.

New Activity, Same Tactics

An October 2022 analysis of the Emotet threat group by security researchers at VMware identified multiple reasons for the group's continued ability to operate after the massive law enforcement takedown. These included more complex and subtle execution chains, constantly evolving methods to obfuscate its configuration, and using a hardened environment for its C2 infrastructure.

"Emotet has been used to deliver a range of secondary payloads," Muerer says. "While it was predominantly delivering other malware families in the past, there is evidence that the current endgame for these actors will likely be focused on ransomware."

There's nothing about the new Emotet activity that suggests that the threat group has deployed any new tactic or technique, Muerer says. The email-thread hijacking tactic and the macro-enabled Word documents are both tactics that the operators have been using for some time. And, as always, the primary infection vector remains spam and phishing emails.

"Nothing major has shifted that we are aware of," Muerer says. "Emotet remains a threat to everyone, with a disproportionately high impact on small businesses and individuals."