Emotet Strikes Again
Emotet is malware, specifically it is a trojan that is spread through spam emails. It is used by multiple threat actors who purchase access to it through Malware-As-A-Service model. It is often used to deploy the Ryuk Ransomware, Trickbot, or QBot. If a target is found to be of high value, the initial payload often arrives as a malicious script, macro-enabled document file, or malicious link. Emotet emails often have familiar branding designs from well-known companies and looks like a legitimate email. Emotet has different C2 (Command and Control) servers for each campaign, which enables attackers to update their malware to newer versions and run commands across multiple machines synchronously, thus acting as a botnet.
The latest campaign template being used tricks users into allowing a malicious Word document to run code embedded in a macro. This is a convincing tactic that many users are likely to fall for.
To compromise Microsoft Word, the document first tells the user to click on the Enable Editing and then the Enable Content button, which will cause the malicious macros to execute.
Once the user enables macros, an .exe file is downloaded to the appdata folder under the context of the currently logged-in user and executes. This is the stager component to the Emotet malware that will pull down the rest of the malware from the C2 server.
We recommend informing users within your organization of this ongoing campaign and providing training on how to spot phishing emails.
Sources: