Infamous botnet turns to new file pumping tactic to attack users

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

After being AWOL for a couple of months, the dreaded Emotet botnet is back and sports new tricks. 

Cybersecurity researchers from Deep Instinct recently spotted a new variant of the infamous malware and claim it’s been updated with a few new tricks that help it evade detection by antivirus programs, Ars Technica reported. 

As per the report, Emotet’s been doing what it does best - distributing weaponized Word files via email, carrying macros that - if enabled - trigger a malicious payload download from a third-party website. The file being distributed has been “pumped” - inflated to large sizes. That helps it evade triggering the antivirus. 

Activating macros

Emotet uses different methods to “pump” the file - sometimes it just has zeros added to the end of the document, and sometimes there are entire paragraphs from Moby Dick copied and pasted - in white-colored font against a white background, so that they can’t be seen. 

On average, the file is more than 500MB in size, the researchers said. Files of this size are usually not scanned by antivirus programs.

The contents of the document are also blurred out, with an overlaid message saying “document is protected” - to trick the victim to activate macros. 

If that happens, the Word document will download a malicious .DLL file that’s also been “pumped”. The .DLL is hosted on a legitimate third-party site that’s been hacked and is being used as a mule - to distribute the malware.

In case the victim ends up unknowingly downloading Emotet, it will scan the endpoint for passwords and other sensitive data, and extract it to a remote location. 

Furthermore, it will use the compromised device to spread to more victims. As previously noted, Emotet usually spreads through email, by tapping into an existing email chain, and replying to a previous message in order not to raise any suspicion. In the email, Emotet will also address the victim by name. 

Finally, the botnet is capable of downloading additional malicious payloads, such as the Ryuk ransomware, or the TrickBot malware.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.