Threat actors associated with the notorious Emotet malware are continually shifting their tactics and command-and-control (C2) infrastructure to escape detection, according to new research from VMware.

Emotet is the work of a threat actor tracked as Mummy Spider (aka TA542), emerging in June 2014 as a banking trojan before morphing into an all-purpose loader in 2016 that's capable of delivering second-stage payloads such as ransomware.

While the botnet's infrastructure was taken down as part of a coordinated law enforcement operation in January 2021, Emotet bounced back in November 2021 through another malware known as TrickBot.

Emotet's resurrection, orchestrated by the now-defunct Conti team, has since paved the way for Cobalt Strike infections and, more recently, ransomware attacks involving Quantum and BlackCat.


"The ongoing adaptation of Emotet's execution chain is one reason the malware has been successful for so long," researchers from VMware's Threat Analysis Unit (TAU) said in a report shared with The Hacker News.

Emotet attack flows are also characterized by the use of different attack vectors in an attempt to stay covert for extended periods of time.

These intrusions typically rely on waves of spam messages that deliver malware-laced documents or embedded URLs, which, when opened or clicked, lead to the deployment of the malware.

In January 2022 alone, VMware said it observed three different sets of attacks in which the Emotet payload was delivered via an Excel 4.0 (XL4) macro, an XL4 macro with PowerShell, and a Visual Basic Application (VBA) macro with PowerShell.

Some of these infection lifecycles were also notable for the abuse of a legitimate executable called mshta.exe to launch a malicious HTA file and then drop the Emotet malware.

"Tools such as mshta and PowerShell, which are sometimes referred to as living-off-the-land binaries (LOLBINs), are very popular among threat actors because they are signed by Microsoft and trusted by Windows," the researchers said.

"This allows the attacker to perform a confused deputy attack, in which legitimate tools are fooled into executing malicious actions."

Further analysis of nearly 25,000 unique Emotet DLL artifacts shows that 26.7% of those were dropped by Excel documents. As many as 139 distinctive program chains have been identified.

Emotet's re-emergence has also been marked by a change in C2 infrastructure, with the threat actor operating two new botnet clusters dubbed Epochs 4 and 5. Prior to the takedown, the Emotet operation ran atop three separate botnets referred to as Epochs 1, 2, and 3.


On top of that, 10,235 Emotet payloads detected in the wild between March 15, 2022, and June 18, 2022, reused C2 servers belonging to Epoch 5.

The changes to both the execution chains and C2 IP addresses aside, Emotet has also been spotted distributing two new plugins, one which is designed to capture credit card data from Google Chrome browser, and a spreader module that uses the SMB protocol for lateral movement.

Other significant components include a spamming module and account stealers for Microsoft Outlook and Thunderbird email clients.

A majority of the IP addresses used to host the servers were in the U.S., Germany, and France. In contrast, most of the Emotet modules were hosted in India, Korea, Thailand, Ghana, France, and Singapore.

To protect against threats like Emotet, it's recommended to implement network segmentation, enforce a Zero Trust model, and replace default authentication mechanisms in favor of stronger alternatives.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.