Emotet malware returns with better evasion capabilities

After months of inactivity, all botnets are showing signs of life, researchers warn

Emotet, one of the today's most dangerous malware botnets, is back with improved modules to conceal its presence on infected networks and machines.

That's according to the researchers at cyber security firm MalwareTech, who revealed that threat actors behind Emotet botnet have completely redesigned their malware and some of its modules to equip it with enhanced anti-malware evasion capabilities.

"Emotet is back and better (worse) than before. After months of inactivity, all botnets are showing signs of life and utilising new evasion techniques," the researchers stated on Twitter.

"Botnet E2 is currently deploying credential and email stealing modules, likely in preparation for a new spam campaign."

According to researchers, the botnets have now started using hashbusting technique to ensure that the malware's file hash on each infected system in not same. Moreover, the new Emotet code is now utilising "a state machine to obfuscate control flow".

"Branches are flattened into nested loops, allowing code blocks to be places in arbitrary order, with flow controlled by a randomised state value," the researchers said.

"This allows for easy code mutation and possibly polymorphism."

Emotet was originally developed as a banking Trojan, like Trickbot, although it has been rewritten several times in past years to work as a malware loader.
According to the researchers at cyber security firm Malwarebytes, this malware was removed from nearly 1.5 million systems in the first nine months of 2018.

Last year, the threat from Emotet became so critical that US-CERT was forced to issue an alert to warn organisations about the botnet.

Emotet can deliver modules able to steal passwords from local apps and spread laterally to other machines on the network. These modules can even steal entire email threads and reuse them later in spam campaigns.

Cyber actors behind Emotet are also known to run their botnet as a Malware-as-a-Service (MaaS). As part of the scheme, other cyber gangs are allowed to rent access to Emotet-infected machines to drop their own malware strains.

In September last year, the researchers at Cisco Talos said that they had noticed Emotet taking advantage of stolen email passwords in a new campaign launched by Emotet operators after a gap of nearly four months.