Infamous botnet turns to new file pumping tactic to attack users

Emotet has come back - again, and again

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

After being AWOL for a couple of months, the dreaded Emotet botnet is back and sports new tricks.

Cybersecurity researchers from Deep Instinct recently spotted a new variant of the infamous malware and claim it’s been updated with a few new tricks that help it evade detection by antivirus programs,Ars Technicareported.

As per the report, Emotet’s been doing what it does best - distributing weaponized Word files viaemail, carrying macros that - if enabled - trigger a malicious payload download from a third-party website. The file being distributed has been “pumped” - inflated to large sizes. That helps it evade triggering the antivirus.

Activating macros

Activating macros

Emotet uses different methods to “pump” the file - sometimes it just has zeros added to the end of the document, and sometimes there are entire paragraphs from Moby Dick copied and pasted - in white-colored font against a white background, so that they can’t be seen.

On average, the file is more than 500MB in size, the researchers said. Files of this size are usually not scanned by antivirus programs.

The contents of the document are also blurred out, with an overlaid message saying “document is protected” - to trick the victim to activate macros.

If that happens, the Word document will download a malicious .DLL file that’s also been “pumped”. The .DLL is hosted on a legitimate third-party site that’s been hacked and is being used as a mule - to distribute the malware.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Emotet is still the world’s worst malware - but maybe not for long>The Emotet botnet has returned with a vengeance>Check out the best firewalls right now

In case the victim ends up unknowingly downloading Emotet, it will scan the endpoint for passwords and other sensitive data, and extract it to a remote location.

Furthermore, it will use the compromised device to spread to more victims. As previously noted, Emotet usually spreads through email, by tapping into an existing email chain, and replying to a previous message in order not to raise any suspicion. In the email, Emotet will also address the victim by name.

Finally, the botnet is capable of downloading additional malicious payloads, such as the Ryuk ransomware, or the TrickBot malware.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

HPE reveals critical security bug affecting networking access points

A critical Palo Alto Networks bug is being hit by cyberattacks, so patch now

New Secretlab Skins Lite let you overhaul the look of your chair for under $100