Emotet is one of the most widespread malware threats in the technology industry. It began as a banking trojan and has since evolved into multiple formats and attack vectors.
A new variant has now emerged, disguised as a message from the Microsoft Office suite indicating that one of its core applications, Microsoft Word, needs to be updated to add "new features."
Emotet spreads through emails containing Word documents with malicious macros. When these documents are opened, their content attempts to trick the user into enabling macros, which then download the malware and install it on the computer. Once infected, Emotet uses the machine to send spam emails and ultimately installs other types of malware to enable ransomware attacks across the victim's network.
Emotet in Microsoft Word
Emotet's spam campaigns use a variety of lures to trick recipients into opening attachments, such as posing as invoices, shipping notices, resumes, purchase orders, or even content related to media topics — as has unfortunately been the case with the COVID-19 pandemic.
Attached to these spam emails are malicious Word (.doc) attachments or links to download one. When opened, these attachments will prompt the user to 'Enable Content' so that malicious macros can run and install the Emotet malware on the victim's computer.
To deceive users, Emotet employs several document designs or templates that display a warning message. This week, a new template was discovered that impersonates a Microsoft Office message indicating that Microsoft Word needs to be updated to add a new feature. These malicious macros download and install the Emotet malware into the %LocalAppData% folder.
Emotet is as widespread as it is dangerous, since it installs other malicious payloads such as Trickbot and QBot on the victim's computer. Once installed, TrickBot and QBot attempt to steal stored passwords, banking information, and other sensitive data, and they frequently lead to ransomware attacks — Conti (via TrickBot) or ProLock (via QBot).
It is important for email users to recognize the malicious document templates used by Emotet and to treat all unsolicited email with suspicion. Needless to say, attachments should never be downloaded or executed — and macro-enabled documents in particular are extremely dangerous.
Source: welivesecurity
Leave a Comment
Comments are reviewed before publishing.