Mealybug

Mealybug, a cybercrime group also known as TA542, has been operating the Emotet malware family since 2014. In recent years, Mealybug has significantly enhanced its malicious activities by updating the Emotet malware to a 64-bit architecture and implementing multiple new obfuscations to protect their modules. Near the end of 2022, the group began experimenting with malicious LNK and XLL files, as they sought a new attack vector that could match the effectiveness of VBA macros. Despite facing challenges, Mealybug has managed to update and improve all existing modules multiple times. In an effort to evade detection and monitoring from the computer security industry and researchers, Mealybug has implemented robust protective measures. The botnet was widely disseminating Spammer modules, which were considered valuable for Mealybug as they were historically used only on machines deemed safe by them. Additionally, the group created several new modules to enhance their capabilities, including those that collect data and contain anti-tracking and anti-analysis tricks. This development significantly improved Mealybug's ability to differentiate between real victims and malware researchers' activities or sandboxes. The disabling of Emotet's main attack vector by authorities prompted Mealybug to explore new ways to compromise their targets. To remain profitable and prevalent, Mealybug introduced multiple new modules and improved its implementation of various randomization techniques. Notably, these include the randomization of order of structure members and instructions that calculate constants. As a result, Mealybug continues to pose a significant threat in the cybersecurity landscape, demonstrating adaptability and resilience in response to countermeasures.