Latest Strain Spreading Bumblebee and IcedID Malware
Emotet malware strain was first discovered by cyber security researchers in 2014. Initially designed as banking malware to steal sensitive and private information from the victim’s system without their knowledge.
Later versions of Emotet can spam and deliver malware services that download other malware families, including banking trojans and ransomware.
The initial infection begins via spam email containing an attachment or link. When the user tries to open the attachment or link, it further downloads the Emotet payload to the victim’s machine in the background. This campaign uses various social engineering tricks to lure users into opening malicious documents and enabling the macro content for successfully downloading the Emotet payload.
Emotet has evolved several times over the years since 2014. It also offers Malware-as-a-Service (MaaS) to other threat groups to deploy additional malware, such as TrickBot, Qakbot, and Ransomware. Though the Emotet was believed as the most distributed malware in previous years, it abruptly stopped spamming in July 2022.
Security Researcher Cryptolaemus tweeted on November 2nd that the Emotet is back and started spamming again. Cyble Research and Intelligence Labs (CRIL) observed the recent Emotet spam campaign spreading malicious xls, xlsm, and password-protected zip files as an attachment to infect users. Our intelligence shows that the recent Emotet campaign is widespread worldwide, targeting 40 countries.
The below figure demonstrates the geographical distribution of Emotet spambot activity for the last week from (3rd Nov to 8th Nov 2022).
The Emotet arrives to users via spam email containing an xls/xlsm or password-protected attachment, as shown in the image below. These office documents contain malicious macro code which downloads the actual Emotet binary from the remote server.
When a user opens the Microsoft Office document, it usually opens in protected view to prevent macros from being executed. Hence, the Threat Actors (TAs) behind this Emotet try various social Engineering techniques to lure the users into enabling the macro content.
The recent Emotet campaign shows a new template that contains instructions to bypass Microsoft’s Protected View. In this template, the TAs instructs the users to copy the xls into the trusted ‘Templates’ folders and run it again to view the document content. This trick bypasses Microsoft Office’s protected view feature and executes the hidden malicious macro code in the document that downloads Emotet malware. The below figure shows the new Office Template used by Emotet.
During execution, the xls file runs the macro code, downloads Emotet DLL (Dynamic Link Library) file from the following URLs, and launches it with “regsvr32.exe”:
The process tree demonstrates the execution of Emotet DLL downloaded from a malicious “xls” document, as shown below.
Then, the Emotet malware quietly runs in the background and connects to the C&C server for further instructions or to install additional payloads. During analyzing the recent Emotet samples, CRIL observed that it downloads IcedID as follow-up malware.
IcedID (aka BokBot) is a modular banking trojan that allows the TAs to steal banking credentials information from the victim’s system and act as a dropper for other additional malware, such as ransomware.
Upon execution of the Emotet, it drops the IcedID installer file into the following location:
Then, the installer downloads a binary file from the URL (hxxps[:]//bayernbadabum[.]com/botpack[.]dat) and drops IcedID DLL into the following location.
The below figure shows the downloaded IcedID payload by Emotet in the victim’s system.
After installing the IcedID into the victim’s system, it adds the DLL files into the task scheduler entry for its persistence, as shown in the figure below.
It is also observed that Emotet downloads Bumblebee malware on 8th Nov 2022. In this campaign, the Emotet malware downloads a PowerShell script named “Peurix.txt” into the Temp folder from the URL (hxxp[:]//87[.]251[.]67[.]176/tps1[.]ps1). The downloaded Powershell file contains code to download Bumblebee DLL from the URL (hxxp[:]//134[.]209[.]118[.]141/bb[.]dll) in the following location and executes the DLL file using rundll32.exe.
Cyble Research and Intelligence Labs (CRIL) has continuously monitored the Emotet malware campaign after it was spammed since November 2nd and identified the following intelligence from the recent spam campaign.
The figure below shows the top filenames used by the Emotet spam campaign.
The below image shows file types used by the Emotet spam.
The image below shows the top subject names used by the Emotet spam campaign.
Emotet is one of the most sophisticated and profitable malware families actively observed in the past eight years, impacting users globally. The primary infection vector for Emotet is spam email containing malicious attachments responsible for downloading Emotet payloader, which further downloads other additional payloads such as IcedID, Bumblebee, etc.
As the Emotet has come back after a few months, we expect the campaign to deliver malware using new TTPs in the future. Cyble Research and Intelligence Labs is continuously monitoring the activity of the Emotet malware campaign and will keep our readers updated.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices as mentioned below:
Safety Measures Needed to Prevent Attacks From Similar Threats And Reduce The Impact
- Don’t keep important files in common locations such as the Desktop, My Documents, etc.
- Use strong passwords and enforce multi-factor authentication wherever possible.
Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile. Refrain from opening untrusted links and email attachments without verifying their authenticity. Conduct regular backup practices and keep those backups offline or in a separate network.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Initial Access||T1566.001||Phishing: Spearphishing Attachment|
|User Execution Command and Scripting Interpreter|
|Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Scheduled Task/Job|
|Defense Evasion||T1497||Virtualization/Sandbox Evasion|
|Credential Access||T1573 |
|Encrypted Channel Non-Standard Port Brute Force: Password Guessing|
|Application Layer Protocol Ingress Tool Transfer|
Indicators Of Compromise
|IcedID DLL (|
|IcedID DLL (ifocnf.dll)|
|URL||Emotet DLL payload|
|IP: Port||Emotet C&C Config|