Researchers from Proofpoint have observed the reemergence of Emotet botnet that has exhibited new behaviors in using new attack techniques.
According to Proofpoint researchers, the latest campaign was spotted in November 2021, ten months after Emotet disappeared from the threat landscape.
The new activity appeared to be small scale in preparation for a larger volume campaign and is associated with TA542, threat actors Proofpoint has been tracking since 2014.
“TA542 consistently uses the latest version of this malware, launching widespread email campaigns on an international scale that affect North America, Central America, South America, Europe, Asia, and Australia,” Proofpoint wrote in a blog post.
Proofpoint added these new tactics, techniques, and procedures (TTPs) “may indicate that TA542 may now be engaged in more selective and limited attacks in parallel to the typical massive scale email campaigns.”
In addition to the low volume activity, the actors also use OneDrive URLs, in lieu of the typical Microsoft Office attachments or URLs hosted on compromised sites).
Moreover, the latest activities use XLL files, a type of dynamic link library (DLL) file for Excel that increases application functionality, as compared to previously used Microsoft Excel or Word docs that contain VBA or XL4 macros.
In December, 2021, Microsoft patched a Windows AppX zero-day Installer Spoofing Vulnerability CVE-2021-43890 that was being actively exploited in the wild and used to spread Emotet malware.