Emotet Returns & Exploits Passages From “Moby Dick” - Talion

That’s right – Emotet is back.

Originally detected in 2014, when the virus begun as a banking trojan affecting customers of German and Austrian banks, Emotet (attributed to the cybercrime group TA542 aka Gold Crestwood or Mummy Spider) has now evolved globally as a malware distributor.

Here’s how Emotet made a memorable return in 2023.

And it’s with the least expected co-conspirator – Moby Dick.


Emotet Returns After 4 Months

The last Emotet campaign was in November 2022 – a spam operation that only lasted 2 weeks – but after rebuilding its network with a short hiatus, it came back with a vengeance in March 2023.

This notorious malware involves specific spamming techniques where malicious Microsoft Word and Excel documents are distributed over email which, when opened, enables macros and downloads the Emotet DLL.

After this, Emotet is merely a waiting game. It remains quiet until further instructions from a remote command and control server. Then? It steals victim’s emails for future cyber attack purposes or, alternatively, downloads additional payloads such as Cobalt Strike.

It is thought that Emotet could return with spam campaigns much like 2020’s infection of victims with TrickBot and Qbot, or the use of parked domains to distribute payloads later that same year, but security researchers have followed Emotet closely and have found they usually resurface with new tactics – and this is certainly the case.


Cybercriminals Show Appreciation For American Literature

What are Emotet up to this time?

Hijacking email threads.

Whilst they’re technically using the same delivery method as last year, they are now using unlocked ZIP files that do not require the victim to unlock with a password. Many companies across the globe have become victim to this, although the most recently reported is Japan.

The host system of the victim is first asked to enable macros in a Word document (which if done so, will start the infection chain):

Social engineering tactic used to fool victims into triggering macros


However, on the second page, there is a peculiar amount of blank space which is, in fact, 3-7 pages of excerpts from the classic novel Moby Dick hidden in white font.


Text is often added by cybercriminals as an evasion technique. With the whole document accounting for 14,801 characters and 2,587 words, it is more likely to bypass security tools which otherwise classify a Word document with just an image and a macro as malicious. Moby Dick thus fools those tools into thinking the file is benign.

Interestingly, people still use macros for legitimate reasons, hence the file is able to bypass security tools with the added text, but people have little reason to do so with the technological advances made in the 21st century. Perhaps this activity, and its corresponding risk to organisations, will then eventually tail off over time.


What’s The Potential Risk With Emotet?

Once these Word files, fraught with Moby Dick, land in the victim’s hands and the macros is triggered, a ZIP file is then downloaded containing Emotet DLL from a compromised website. Due to the artificial padded text, chance of automatic analysis and IOC extraction is reduced.

CISOs should be aware that Emotet are still using process injection, so any security tools that do not rely solely on static analysis are recommended, since these should have a better chance at catching it before damage is done.


Emotet’s excerpts from “Moby Dick” surfacing as the font colour is changed


Cybercriminals are getting more and more creative by the minute. Why paste a thousand 0’s in a Word document when you can use Moby Dick instead?

Humour aside, these threat groups are keen to garner attention, and this is just one example of how they’ve done so to announce the significance of their return.

Evaluate your security tools often to ensure they stay up to date with current tactics used by cybercriminals.

Our Threat Intelligence Datasheet offers details on how you can stay one step ahead of attackers with key insight into your digital footprint, current security trends and mitigation recommendations.

Download your copy here.


Watch demo video
We’re a tight-knit, highly skilled operation, so when a threat arises, we move quickly.
Watch demo video
We’re a tight-knit, highly skilled operation, so when a threat arises, we move quickly.
24x7x365 UK-based Security Operations Centre
Service underpinned by market leading threat intelligence team
Continually developed threat relevant content, backed by SLAs
MDR service has featured in the Gartner Magic Quadrant for 6 consecutive years
Experts in SIEM and SOAR technology
UK-based Senior Leadership
Looking to maximise value and flexibility?
Learn how Talion and DEVO partner to achieve this.
Discuss your cyber security needs
Contact us below and one of our team will be in touch to answer your questions.

Call us on 0800 048 5775

Call us directly and we’ll put you in touch with the most relevant cyber expert.

Get In Touch With Us

Not currently free to call? Give us a brief description of what you’re looking for by filling out our form and we’ll email you as soon as we can.

CISO Cyber Dinner – Register Your Interest!

Thought-provoking cyber security discussion at Michelin-star restaurants across the UK.