Actu
EMOTET returns from “Spring Break” with new tricks up its sleeve – Proofpoint threat research
April 2022 by Proofpoint
Cybersecurity researchers at Proofpoint have today published new research revealing brand new tactics used to distribute the notorious Emotet botnet, indicating that the cybercriminal group (TA542) is testing new attack techniques on a small scale before adopting them for larger volume campaigns.
In recent activity from April 2022, the TA542 group displayed a number of unusual tactics:
• The low-volume nature of the activity –Typically Emotet distributes high-volume email campaigns to many targets globally.
• The use of OneDrive URLs – Typically Emotet delivers Microsoft Office attachments or URLs (hosted on compromised sites) linking to Office files.
• The use of XLL files – Typically, Emotet uses Microsoft Excel or Word documents containing VBA or XL4 macros.
It is notable that TA542 is interested in new techniques that do not rely on macro-enabled documents as Microsoft is making it increasingly difficult for threat actors to use macros as an infection vector.
Sherrod DeGrippo, Vice President, Threat Research and Detection, Proofpoint, commented: “After months of consistent activity, Emotet is switching things up. It is likely the threat actor is testing new behaviors on a small scale before delivering them to victims more broadly, or to distribute via new TTPs alongside its existing high-volume campaigns. Organisations should be aware of the new techniques and ensure they are implementing defenses accordingly.”
