The Emotet malware seems to be back from its 10-month vacation. Mid November, new Emotet campaigns were discovered, along with the distressing news that it has started spreading malicious documents to inboxes across the world.
Revisiting the Emotet malware basics
Cyber security professionals globally twitch their muscles when they hear about this infamous and dangerous strain of malware. It has been around for a long time, causing damage via payloads and backdoor access.
Basically, Emotet campaigns spread primarily via emails. They drop a malicious attachment in the victim’s mailbox. Once the victim takes the bait, JavaScript macros kick in, and auto-download the Emotet DLL. This nasty library then loads itself into the victim’s system through a PowerShell.
Now, Emotet starts scrapping the system for emails which it can use for further phishing campaigns. Moreover, it also infects the system with other dangerous malware like the TrickBot or Qbot which can lead to ransomware threats.
New Emotet campaigns start spamming again
Independent cybersecurity researcher, Brad Duncan, has noticed the stirrings of fresh Emotet campaigns, which has been spamming multiple mailboxes all over the world.
As per this researcher, these Emotet spam campaigns use reply-chain email threads to trick the victim into opening the malicious Word / Excel / Zip attachments. Hackers are using previously stolen email threads and replying to them with spoofed addresses and malware attachments. The ‘RE:’ part of such campaigns makes the victim falsely believe that the conversation has been going on prior to his / her involvement. This gives them a false sense of security and makes them less hesitant to interact.
These new Emotet campaigns are using anxiety-inducing subject lines like missing wallets, cancelled meetings, political donation drives, and dental insurance hiccups. They are all designed such that the user will become reactive and click through on the malicious attachments.
Be it a Word document or an Excel, the Emotet infection is hiding under Microsoft’s native security mechanisms. The user is prompted to ‘Enable Content’ or give editing privileges to locked documents to start reading the content.
Once you enable these options, macros are enabled which launch a PowerShell command to remotely download the Emotet DLL from a compromised WordPress site. The DLL is saved to the C:\ProgramData folder.
Next, the DLL is launched from C:\Windows\SysW064\rundll32.exe, which creates copies of the DLL to a random folder and then reruns the DLL from that folder.
After an interval, the emotet malware configures a startup value inder the HKCU\Software\Microsoft\Windows\CurrentVersion\Run so that the malware auto-starts when Windows starts. It keeps running in the backdrown, scouring for emails, installing additional payloads, or infecting the system with ransomware.
Preventing Emotet campaigns from hitting you
The only wise thing to do with such tricky malware is to rely on an automated, modern email security tool. Granted that awareness and presence of mind will help you stay wary of spam mails, but why risk it? Our lives aren’t getting any less hurried and cyber criminals will always try to exploit that fact. Instead, acquire a dependable email security service that will handle email security risks FOR you.
More IT and security resources and updates.