Last seen in January 2021, after law enforcement took them down, Emotet is back and is using TrickBot to install Emotet malware on infected Windows systems. TrickBot is a malware botnet that is often used by cyber criminals to load secondary malware payloads and commonly seen in ransomware incidents .
After 10 months of darkness, Emotet was recently seen by cyber security researcher, Brad Duncan, spamming multiple email campaigns to infect devices with the malware. The campaigns use reply-chain emails to persuade victims into opening malicious attachments disguised as Word/Excel documents or password-protected ZIP files. Reply-chain email attacks are another form of social engineering where the attacker sends a malicious email from a genuine, but stolen email account. Some of the reply-chain emails Duncan discovered included a missing wallet, a canceled meeting, and even political donations.
Currently, there are two malicious documents being distributed. The first document is an Excel attachment asking the victim to click on “Enable Content” to view the contents. The other is a Word attachment that says the document is in “Protected” mode and users must enable content and editing to view it. However, after the victim opens the attachments and click, they enable malicious macros that launch a PowerShell command that then downloads the Emotet loader DLL from a compromised WordPress site.
After being downloaded, Emotet configures a startup value under the following:
This is done so the malware can launch when Windows starts. Emotet will then run silently in the background, waiting for commands to execute to from its C2. The commands could be used steal email account information, spread the malware to other computers, or to install additional payloads like TrickBot. Emotet was once considered the largest botnet cyber security had ever seen, let’s not give it a reason to regain its title. Keep your organization from becoming another victim by staying educated on cyber security best practices.