Emotet Disguises as Downloadable File of Edward Snowden’s New Book to Infect Users

Emotet (detected by Trend Micro as TrojanSpy.Win32.EMOTET.THIBEAI) which recently resurfaced, is quick to expand its campaign to bank on the popularity of former CIA contractor and NSA whistleblower Edward Snowden’s bestselling memoir.

The cybercriminals behind this campaign sent out spam emails containing a Microsoft Word document pretending to be a free “Permanent Record” copy, luring victims to open the malicious document containing Emotet, according to a report from Malwarebytes. 

This spam campaign had emails in different languages, including English, Italian, Spanish, German and French.

According to security researchers, once victims access the document, they will be prompted by a fake pop-up message to activate Microsoft Word. Upon clicking on the activation button, the malicious macro code will run in the background. It will then trigger a PowerShell command that connects to a compromised WordPress site. From there, Emotet and other malware variants like Trickbot will be downloaded to the victim’s machine and will connect to a command-and-control (C&C) server.

Is Emotet a big threat?

In 2014, Trend Micro discovered Emotet as a banking malware that sniffs out network activity for data theft purposes. Over the years, it has evolved. Armed with its own spamming module, Emotet has branched off to different industries and regions all over the world and has acquired sandbox- and analysis-evasion techniques.

In a comprehensive research published last year, Trend Micro experts examined how Emotet worked — leading to the discovery of at least two infrastructures running parallel to one another to support its botnet and its possible adoption of multilayer operating mechanisms in the creation of its artifacts.

This resurgent malware family is known for its evolving spam email content and its infectious nature. It does not stop at one infected machine — it can spread to other machines connected to a network and spread laterally.

According to the Department of Homeland Security, because of Emotet’s destructive nature, it can cost state, local, tribal, and territorial (SLTT) governments up to US$1 million per incident to fix.

How can users stay safe against social engineering attacks?

The best way to remain protected against socially engineered scams is to be well informed of the different ways cybercriminals can trick you into being deceived.

In this particular spam campaign, social engineering is used to hook users into believing that they’re downloading a free copy of a popular book — only to be infected with Emotet.

These simple steps are key to making sure that you don’t fall for social engineering attacks:

• Bookmark trusted sites. To be sure that you’ll land on or access the correct website, search it yourself on a search engine. Don’t automatically click on website links provided in emails, especially from unknown or unfamiliar sources.
• Think before you click. Never click on links accompanied by promises that are too good to be true. Do not immediately download any file attachments. If you are unsure or suspicious, call the sender to verify the email content. Use publicly available contact information and not contact information provided in the email. 
• Don’t get easily swayed by threats, urgent requests, or too-good-to-be-true deals. Bad guys expect you to give in easily if you are threatened, rushed, or tempted with an unbelievably good deal. Slow down and take your time to assess the nature of the email.
• Secure your machine with the right technology. Investing in an effective security solution is essential to protect your system and data from all kinds of threats.

What can organizations do to defend against Emotet?

Here are some of the best practices businesses can adopt to protect against Emotet and other threats that may come with it:

• Regularly patch and update (or use virtual patching). Emotet is a modular downloader malware capable of delivering other kinds of threats that could exploit vulnerabilities. Updating and patching system, network, and server software can remove these vulnerabilities.
• Secure the email gateway. Emotet’s main attack vector is spam email, relying on social engineering to be successful. Practicing cybersecurity hygiene — both in the workplace and at home —helps just as much as deploying security solutions.
• Enforce the principle of least privilege. Emotet abuses legitimate tools such as PowerShell as part of its attack chain. Disabling, restricting, or securing sysadmin tools can significantly deter the threat from abusing them.
• Proactively monitor the organization’s online infrastructure. For organizations, a multilayered approach can help defend against Emotet. Firewalls and intrusion detection and prevention systems help detect and block suspicious traffic or malicious network activities. Application control and behavior monitoring prevent anomalous executables and malware-related routines from running, while URL filtering helps block malicious URLs and websites that may be hosting malware.

Trend Micro endpoint solutions that have behavior monitoring capabilities, like Smart Protection Suites and Worry-Free Business Security, can protect users and businesses from threats like Emotet by detecting malicious files, scripts, and messages as well as blocking all related malicious URLs. Trend Micro^™ Apex One^™ protection employs a variety of threat detection capabilities, notably behavioral analysis, which protect against malicious scripts, injection, ransomware, and memory and browser attacks.

The Trend Micro Deep Discovery^™ solution has a layer for email inspection that can protect enterprises by detecting malicious attachments and URLs. It can detect remote scripts even if they are not being downloaded on the physical endpoints. The Trend Micro Deep Discovery^™ Inspector solution protects customers from Emotet via this DDI rule:

• 2897: EMOTET - HTTP (Request) - Variant 4

Indicators of Compromise