The Emotet Trojan is taking advantage of the Halloween season by pushing out new spam templates that invite victims to a Halloween party. For those who are not familiar with Emotet, it is a malware that is spread through spam emails that contain malicious documents. These documents install the Emotet Trojan on the victim’s computer. After a successful infection, Emotet installs other malware and uses the victim’s computer to send out additional spam. Other malware that has typically been delivered by Emotet, as observed by Binary Defense analysts, includes the Trickbot malware that targets online banking users to steal money and the Ryuk ransomware that encrypts files and demands a ransom payment. To take advantage of Halloween, the Emotet authors have changed the email template that gives the recipient an invitation to click a button on the top of the email that states “Enable Content” so that they can view the hidden portions of the invitation. If a victim clicks that button, then the Trojan installs itself onto the victim’s system.
It is normally never a good practice to click links or downloads that are contained in unknown emails. Phishing emails are still the primary method of infection that attackers use. Microsoft Word documents and Excel spreadsheets attached to email messages are frequently used by attackers to spread malware, and most malware in document files require the person viewing the document to click the “Enable Content” button or double-click an image inside the document. A good method to prevent infection through documents is to use extra caution and think twice whenever a document or email contains specific instructions to press the “Enable Content” button or double-click anything in the document. Users are urged to have a robust antivirus and malware detection program that can prevent infections. For organizations, it is recommended to employ a 24-hour endpoint detection monitoring service such as the Binary Defense Security Operation Center. Endpoint monitoring solutions are in the perfect position to detect ransomware or attacker behaviors early in an intrusion and isolate the infected computer from the rest of the network to prevent the spread of damage.