Security News

The Emotet malware is having a burst in distribution and is likely to soon switch to new payloads that are currently detected by fewer antivirus engines. Emotet is a self-propagating modular trojan that can maintain persistence on the host.

The Emotet malware botnet is taking advantage of the 2022 U.S. tax season by sending out malicious emails pretending to be the Internal Revenue Service sending tax forms or federal returns. Emotet is a malware infection distributed through phishing emails with attached Word or Excel documents containing malicious macros.

The insidious Emotet botnet, which staged a return in November 2021 after a 10-month-long hiatus, is once again exhibiting signs of steady growth, amassing a swarm of over 100,000 infected hosts for perpetrating its malicious activities."While Emotet has not yet attained the same scale it once had, the botnet is showing a strong resurgence with a total of approximately 130,000 unique bots spread across 179 countries since November 2021," researchers from Lumen's Black Lotus Labs said in a report.

The notorious Emotet botnet is still being distributed steadily in the wild, having now infected 92,000 systems in 172 countries. Emotet activity stopped in 2019 while its second major version was in circulation, and the malware returned only in November 2021, with the help of Trickbot.

Emotet is a sophisticated, constantly changing modular botnet. On November 14, 2021, Emotet was reborn with a new version.

The infamous Emotet malware has switched tactics yet again, in an email campaign propagating through malicious Excel files, researchers have found."Emotet's new attack chain reveals multiple stages with different file types and obfuscated script before arriving at the final Emotet payload," Unit 42 researchers Saqib Khanzada, Tyler Halfpop, Micah Yates and Brad Duncan wrote.

Microsoft has disabled the MSIX ms-appinstaller protocol handler exploited in malware attacks to install malicious apps directly from a website via a Windows AppX Installer spoofing vulnerability. The likely reason for disabling the protocol altogether is to protect all Windows customers, including those who haven't yet installed the December security updates or applied the workarounds.

Social engineering campaigns involving the deployment of the Emotet malware botnet have been observed using "Unconventional" IP address formats for the first time in a bid to sidestep detection by security solutions. The infection chains, as with previous Emotet-related attacks, aim to trick users into enabling document macros and automate malware execution.

Right in time for the holidays, the notorious Emotet malware is once again directly installing Cobalt Strike beacons for rapid cyberattacks. Earlier this month, Emotet began to test installing Cobalt Strike beacons on infected devices instead of their regular payloads.

Microsoft has rolled out Patch Tuesday updates to address multiple security vulnerabilities in Windows and other software, including one actively exploited flaw that's being abused to deliver Emotet, TrickBot, or Bazaloader malware payloads. It's worth noting that this is in addition to the 21 flaws resolved in the Chromium-based Microsoft Edge browser.