DecryptedTech

Wednesday18 May 2022

The Group Behind Emotet is Looking to Get Around Microsoft’s VBA Changes


Reading time is around minutes.

TA542 the wonderful people that brought you Emotet appears to be in the middle of a development and testing cycle on new delivery methods. According to researchers at ProofPoint the creators or the Emotet Botnet are potentially looking to find a new delivery method in response to the, long overdue, default disabling of VBA based Macros by Microsoft in their office products. Although ProofPoint seems to think this is development testing, the activity could also be part of a more targeted campaign.

TA542 typically sends out a massive number of phishing emails that tend to target multiple business verticals with some campaigns hitting over one million messages sent. They also took a bit of a break after law enforcement took down their infrastructure not all that long ago. Still, nature abhors a vacuum and TA542 was far from finished with their efforts as the new campaigns show.

What makes the new campaign different, aside from the low volume, is that there are no VBA macros inside the documents attached. Instead ProofPoint is seeing the use of OneDrive URLs that link to .zip files. These zip files contain a XLL (Microsoft Excel Add-in) files that execute the payload. As Microsoft previously announced they are planning to disable VBA macros this month (April 2022), the new attack style, without VBA, and the timing of the shift would seem to indicate that TA542 are looking at other deployment options.

More evidence that this run is part of a development testing cycle is that the group fixed a bug in their new deployment system that was preventing proper infection/compromise of the targeted system when the payload executed. As most test runs at the end of a development cycle include small test groups and bug fixes it stands to reason that this is what we are seeing from TA542.

Cybercrime is always going to be a game of cat and mouse with the threat actors usually one step ahead of the defenders. Observing development cycles is nothing new. It is good that these early stages have been seen so that proper steps can be taken to mitigate the risk of these new TTPs, but all in all it is nothing shocking. It is newsworthy, and something to take note of. As for precautions, well here the usual security first culture training, anti-phishing and spam tools and training along with good behavior-based antimalware should go a long way to help mitigate the risks of the new tactics observed.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.