Considered by many to be one of the top threats on the Internet, the Emotet botnet is back after a long hiatus with some new tricks.
Last week, Emotet made its first appearance this year after a four-month hiatus. He’s back on his trademark activism – a wave of malicious spam that appears to come from a known contact, sending recipients by name and ostensibly to reply to an existing thread. When Emotet returned from previous breaks, it brought new techniques designed to evade endpoint security products and trick users into clicking links or activating dangerous macros in Microsoft documents.
The resumption of operations last week made no difference. For example, a malicious email sent last Tuesday attached a Word document with a large amount of extra data appended to the end. As a result, the file is more than 500 MB, which is large enough to prevent some security products from being able to scan the content. This technique, known as binary padding or file pumping, works by adding zeros to the end of the document. In the event that someone is tricked into activating the macro, the accompanying malicious Windows DLL file is also injected, increasing from 616 KB to 548.1 MB, researchers from security firm Trend Micro said Monday.
Another escape trick was discovered in the attachment: excerpts from Herman Melville’s classic novel Moby Dick, which appear in white font on a blank page, make the text unreadable. Some security products automatically tag Microsoft Office files that contain only macros and images. Invisible text is designed to evade such software without making the target suspicious.
When opened, the Word document displays an image indicating that the content is not accessible unless the user clicks the “Enable Content” button. Last year, Microsoft started disabling macros downloaded from the Internet by default.
Clicking the “enable content” button overrides this default and allows the macro to run. A macro that forces Office to download a .zip file from a legitimate website has been hacked. Office will then unpack the archive and run the bloated Emotet DLL that infects the device.