# Bruised but Not Broken: The Resurgence of the Emotet Botnet Malware **[trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html](https://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html)** May 19, 2022 During the first quarter of 2022, we discovered a significant number of infections using multiple new Emotet variants that employed both old and new techniques to trick their intended victims into accessing malicious links and enabling macro content. By: Adolph Christian Silverio, Jeric Miguel Abordo, Khristian Joseph Morales, Maria Emreen Viray May 19, 2022 Read time: 6 min (1703 words) The [Emotet botnet malware is well known in the cybersecurity industry for its success in using spam emails to compromise](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/further-emotet-evolution-operators-hijacking-existing-email-threads-to-deliver-malware) machines and then selling access to these machines as part of its infamous malware-as-a-service (MaaS) scheme. Operators behind [notorious threats such as the Trickbot trojan and the Ryuk or](https://www.trendmicro.com/vinfo/it/security/news/cybercrime-and-digital-threats/banking-malware-emotet-and-trickbot-go-phishing-again) [Conti ransomware are among the malicious actors who have used the](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ryuk-2020-distributing-ransomware-via-trickbot-and-bazarloader) botnet malware in their attacks. [But in January 2021 came news of Emotet’s dismantling, dubbed Operation Ladybird, during which law enforcement agencies](https://www.trendmicro.com/en_us/research/21/c/emotet-one-month-after-the-takedown.html) from Canada, France, Germany, Lithuania, the Netherlands, Ukraine, the UK, and the US worked in concert to seize control of [Emotet’s infrastructure. In spite of this, the botnet malware proved quite resilient and it resurfaced in November 2021. According](https://success.trendmicro.com/dcx/s/solution/1118391-malware-awareness-emotet-resurgence?language=en_US) [to researchers at AdvIntel, its return was greatly influenced by Conti’s operators, who sought to continue their partnership with the](https://www.advintel.io/post/corporate-loader-emotet-history-of-x-project-return-for-ransomware) operators of Emotet, as the botnet malware had played an integral role in the ransomware’s initial access phase. During the first quarter of 2022, we discovered a significant number of infections in various regions (Figure 1) and across different industries (Figure 2) using multiple new Emotet variants. Based on our telemetry, a large percentage of the infected customers were in Japan, followed by countries in the Asia-Pacific and EMEA (Europe, the Middle East, and Africa) regions. It is possible that the operators behind Emotet targeted profitable industries like manufacturing and education to attract the attention of other malicious actors as potential customers for their MaaS offering. ----- Figure 1. Emotet infections by region during the first quarter of 2022 ----- Figure 2. Emotet infections by industry during the first quarter of 2022 ## In with the new We observed that this surge in Emotet spam campaigns used both old and new techniques to trick their intended victims into accessing malicious links and enabling macro content. The newer Emotet samples we analyzed retained the same initial downloader as the one found in previous campaigns. However, these more recent samples used Excel 4.0 macros, an old Excel feature, to execute its download routines (Figure 3), as opposed to Emotet’s previous use of Visual Basic for Applications (VBA). ----- Figure 3. Emotet’s Excel lures Emotet employs various obfuscation techniques to evade detection of the malicious Excel file. One such technique is its use of the .ocx file name extension (Figure 4) and carets (Figures 12 and 13) in URLs, which allow Emotet to sidestep detection methods that look for specific command-line keywords or extensions. Figure 4. Emotet using Excel 4.0 macros and the .ocx file name extension for its payload We also observed that some of the recent Emotet samples drop BAT (batch) files (Figures 5 and 6) and VBScript files (Figures 7 and 8) to execute their download routines. ----- Figure 5. An obfuscated BAT file Figure 6. A deobfuscated BAT file (Figure 5) that downloads Emotet’s payload via PowerShell ----- Figure 7. An obfuscated VBScript file Figure 8. A deobfuscated VBScript file (Figure 7) that downloads Emotet’s payload via PowerShell Unlike past variants, the recent Emotet samples behave in a more straightforward way, directly downloading and executing their payloads. These samples use regsvr32.exe under the SysWow64 folder to execute their payloads, which ensures that the malware runs in a 64-bit environment using the 32-bit binary. This suggests that Emotet now targets only 64-bit machines, which is in line [with the recent news of Emotet’s switch to 64-bit loaders.](https://www.bleepingcomputer.com/news/security/emotet-botnet-switches-to-64-bit-modules-increases-activity/) We also discovered that the recent Emotet samples employ LNK (link) files to download 64-bit loaders (Figure 9). These allow Emotet to directly execute PowerShell commands for payload execution. For each infection, the LNK file creates a PS1 file via PowerShell, which is then used to download and run Emotet’s payload (Figures 10 and 11). Figure 9. Emotet’s malicious LNK file ----- Figure 10. The executed command from Emotet’s malicious LNK file Figure 11. The deobfuscated command from Emotet’s malicious LNK file (Figure 10) Another notable behavior we observed in the samples of these new Emotet variants was their use of hexadecimal (Figure 12) and [octal (Figure 13) representations of the IP addresses they connected to, as we reported in a previous blog entry. Using these](https://www.trendmicro.com/en_us/research/22/a/emotet-spam-abuses-unconventional-ip-address-formats-spread-malware.html) formats to obscure the URLs enables these new variants to circumvent pattern-matching detection methods, thereby allowing the execution of their download routines. Figure 12. A hex representation of the Emotet URL (with carets) Figure 13. An octal representation of the Emotet URL (with carets) ### Emotet’s payload ----- Emotet s older 32 bit variants use seven core commands. But the recent Emotet samples are of 32 bit variants that use only six core commands and 64-bit variants that use only five, as shown in Table 1. **Command** **Execution method of 32-bit variants** **Execution method of 64-bit variants** 1 Download and execute DLL with regsvr32.exe with Download and execute DLL with regsvr32.exe parameter %Windows%\regsvr32.exe {Installation folder}\ %Window%\regsvr32.exe /s {Installation folder}\ {random}.dll {Base64-encoded string of (randomly {random}.dll {Base64-encoded string of (randomly created installation folder)}\(file name of dropped created installation folder)}\(file name of dropped copy) copy) 2 Execute shellcode via CreateThread Execute shellcode via CreateThread 3 Download EXE file and execute it using Download EXE file and execute it using CreateProcessW (non-admin) CreateProcessW (non-admin) {Installation folder}\{random}.exe {Installation folder}\{random}.exe 4 Download EXE file and execute it using Download EXE file and execute it using CreateProcessAsUserW (admin) CreateProcessAsUserW (admin) {Installation folder}\{random}.exe {Installation folder}\{random}.exe 5 Execute shellcode via CreateThread Load module in memory and execute exported function (via LoadLibraryA and GetProcAddress) 6 Download and execute DLL with regsvr32.exe %Window%\regsvr32.exe /s {Installation folder}\ {random}.dll Note: {installation folder} could be %AppDataLocal%\{random} (non-admin) or %System% \{random} (admin), depending on the mode of execution. Table 1. A list of core commands used by the newer Emotet samples Our analysis of the recent samples showed that Emotet’s use of rundll32.exe for execution between November 2021 and January 2022 had been phased out, replaced by the “regsvr32.exe /s” command as of February 2022. Nonetheless, Emotet employs modular architecture for its other payloads. Based on this, we can still infer that the samples have the same infection chain as in previous Emotet-related campaigns, with some variants opting to include the gathering of running processes as part of their modules instead of their main routine (Figure 14). |Command|Execution method of 32-bit variants|Execution method of 64-bit variants| |---|---|---| |1|Download and execute DLL with regsvr32.exe with parameter %Window%\regsvr32.exe /s {Installation folder}\ {random}.dll {Base64-encoded string of (randomly created installation folder)}\(file name of dropped copy)|Download and execute DLL with regsvr32.exe %Windows%\regsvr32.exe {Installation folder}\ {random}.dll {Base64-encoded string of (randomly created installation folder)}\(file name of dropped copy)| |2|Execute shellcode via CreateThread|Execute shellcode via CreateThread| |3|Download EXE file and execute it using CreateProcessW (non-admin) {Installation folder}\{random}.exe|Download EXE file and execute it using CreateProcessW (non-admin) {Installation folder}\{random}.exe| |4|Download EXE file and execute it using CreateProcessAsUserW (admin) {Installation folder}\{random}.exe|Download EXE file and execute it using CreateProcessAsUserW (admin) {Installation folder}\{random}.exe| |5|Execute shellcode via CreateThread|Load module in memory and execute exported function (via LoadLibraryA and GetProcAddress)| |6|Download and execute DLL with regsvr32.exe %Window%\regsvr32.exe /s {Installation folder}\ {random}.dll|| ----- Figure 14. Emotet’s infection chain The reappearance of Emotet is also notable because its operators have since added Cobalt Strike, a well-known penetration-testing tool, to its arsenal. This poses a bigger risk for target enterprises, as the integration of Cobalt Strike provides more flexibility for Emotet’s MaaS partners to gain a foothold in an intended victim’s systems. With these new features, we expect to see in the coming months a continuous stream of Emotet cases and the delivery of other malware used in Emotet’s MaaS scheme. ## Similarities with QakBot Since January, we have received and analyzed 300 submissions of the QakBot loader (Figure 15), and our investigation has revealed that its attack chain shares many similarities with that of Emotet (Figure 16). ----- Figure 15. Emotet and QakBot submissions from January to April 2022 ----- Figure 16. A comparison of QakBot and Emotet’s attack chains QakBot spam messages attempt to deceive their intended victim into clicking a download link, which is usually a OneDrive URL (Figure 17). An Emotet spam message, on the other hand, poses as a forwarded email that has a password-protected archive attachment (Figure 18). Figure 17. A QakBot spam message containing a malicious download link ----- Figure 18. An Emotet spam message containing a password-protected archive attachment QakBot infections start with the intended victim downloading a malicious Excel file with an .xlsb file name extension (Figure 19). Emotet infections also involve an Excel file, but with an .xlsm file name extension (Figure 20). Figure 19. The malicious Excel file in a QakBot attack ----- Figure 20. The malicious Excel file in an Emotet attack Another key difference between the two pieces of malware is that the macro sheets embedded in QakBot’s downloader samples contain links with the .png file name extension in the URLs (Figure 21), while Emotet links do not (Figure 22). This is a means for QakBot to evade detection, as using a common file name extension like .png makes QakBot URLs less suspicious. Figure 21. The URLs in a QakBot macro sheet ----- Figure 22. The URLs in an Emotet macro sheet Although the Excel files in both QakBot (Figure 23) and Emotet (Figure 24) infections employ regsvr32.exe to execute their payloads, only QakBot drops its payload in a folder with a random five-character name that is located in the C:\ drive (Figure 25). Emotet, on the other hand, drops its payload in the parent directory of its downloader (Figure 26). Figure 23. QakBot’s use of regsvr32.exe to execute its payload Figure 24. Emotet’s use of regsvr32.exe to execute its payload Figure 25. QakBot dropping its malicious payload in a folder in C:\ ----- Figure 26. Emotet dropping its malicious payload in a folder Security recommendations For enterprises to avoid falling victim to spam emails used in Emotet and QakBot campaigns, user awareness training for employees should be expanded to address email reply chain attacks. Security practices that can mitigate the risk of infection include: Ensuring that macros are disabled in Microsoft Office applications Hovering over embedded links to check the URLs before opening them Being wary of unfamiliar email addresses, mismatched email addresses and sender names, and spoofed company emails, all of which are telltale signs that the sender has malicious intent Refraining from downloading any email attachments without verifying the sender’s identity Enabling advanced detection capabilities, such as predictive machine learning Users and businesses can defend themselves against threats like Emotet using endpoint solutions such as Trend Micro’s Smart [Protection Suites and Worry-Free Business Security solutions, which have behavior-monitoring capabilities that can detect](https://www.trendmicro.com/us/small-business/product-security/) [malicious files, scripts, and messages, and block all related malicious URLs. The Trend Micro™ Deep Discovery™ solution also has](https://www.trendmicro.com/us/enterprise/security-risk-management/deep-discovery/) [a layer for email inspection that can protect enterprises by detecting malicious attachments and URLs.](https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/email-inspector.html) **_Additional insights by Jett Paulo Bernardo, Arianne Dela Cruz, Dexter Esteves, Gerald Fernandez, Mark Marti,_** **_Ryan Pagaduan, and Louella Darlene Sevilla_** Indicators of compromise (IOCs) **SHA-256** **Description** **Detection name** 48426fd5c5be7a8efdbbf2d9f0070626aa9bfe9734aab9278ddd293e889a19cc Emotet Trojan.XF.EMOTET.YJCCXB sample using Excel 4.0 macros e9bf38414636c6cef4cc35fad5523de205eca815b979ed36e96a7e6166a58370 Emotet TrojanSpy.Win32.EMOTET.YJCCY payload 5c4f33e22f9def7f7fea863e08c38f6a8b4ea9fcc78911c23bb54c4fdf4590e1 Hexadecimal Trojan.XF.EMOTET.SMYXBLAA IP address sample e961e46fe0000505f4534e036a9d1d2a59823cf644438a2733ab659e9c22988b Octal IP Trojan.XF.EMOTET.SMYXBLAA address sample ### Recommended for you ransomware |SHA-256|Description|Detection name| |---|---|---| |48426fd5c5be7a8efdbbf2d9f0070626aa9bfe9734aab9278ddd293e889a19cc|Emotet sample using Excel 4.0 macros|Trojan.XF.EMOTET.YJCCXB| |e9bf38414636c6cef4cc35fad5523de205eca815b979ed36e96a7e6166a58370|Emotet payload|TrojanSpy.Win32.EMOTET.YJCCY| |5c4f33e22f9def7f7fea863e08c38f6a8b4ea9fcc78911c23bb54c4fdf4590e1|Hexadecimal IP address sample|Trojan.XF.EMOTET.SMYXBLAA| |e961e46fe0000505f4534e036a9d1d2a59823cf644438a2733ab659e9c22988b|Octal IP address sample|Trojan.XF.EMOTET.SMYXBLAA| ----- -----