The Emotet botnet has returned with a venegeance
The dreaded Trojan Emotet is back after a five-month hiatus, kicking off a furious new malware distribution campaign, researchers are warning.
Researchers from Cryptolaemus, a group that tracks Emotet, observed the threat actor suddenly come to life and spam email addresses worldwide with phishing emails, in the early morning of November 2.
“Looks like Ivan is in need of some cash again so he went back to work. Be on the lookout for direct attached XLS files and zipped and password protected XLS,” the group warned in a Twitter thread.
Weaponized Office files
As usual, the campaign revolves around weaponized Office documents, in this particular case – Excel files carrying malicious macros.
The threat actor hijacks existing email chains, using the reply feature to distribute the document. There are a few notable changes to how the trick works, though, as Microsoft has recently disabled macros by default, and requires admins to specifically allow the feature to run.
Furthermore, Windows now adds the Mark-of-the-Web (MoTW) flag to all files downloaded from the internet. When opened, MoTW flagged files will display a message saying they were downloaded from an insecure location and that they can only be opened in Protected View, to protect the users from accidentally running a malicious macro.
> Emotet is still the world’s worst malware – but maybe not for long
> Google Chrome user profiles under attack from Emotet malware
> Here’s our take on the best ID theft protection tools right now
That has prompted the criminals to add a specific message to the file, mimicking Excel’s security warning (the yellow horizontal bar above the content) and saying that, in order to run the file, it needs to be placed in the Office’s Templates folder.
All files run from the Templates folder automatically run macros. Indeed, it’s not that easy to add files to that specific folder, as Windows requests admin permission, but chances are – many victims will ignore these obvious red flags.
So far, Emotet is sitting dormant on compromised endpoints, so the researchers can’t determine what kind of campaign it’s being used for. In the past, Emotet was used to drop Cobalt Strike beacons, TrickBot malware, and others.
- Check out the best firewalls today