Emotet is malware that typically spreads through email messages containing Word documents with malicious macros. Some of the email lures are actual messages with a reply chain history and other attachments, all stolen from other victims. When a victim opens these documents, they try to trick the victim into enabling the active content so that Emotet malware can be downloaded and installed on a computer. Once installed, Emotet will use the infected computer to send spam emails and ultimately install other malware packages that could lead to ransomware attacks on a victim’s network. Emotet has used a variety of lures to trick victims into opening such an attachment, such as faking invoices, shipping notices, resumes, purchase orders, or even COVID-19 information. This week Emotet has switched to a new trick, pretending to be a Microsoft Office message stating that Microsoft Word needs to be updated to add a new feature. In the malicious document, it instructs the user to click on a button that would “Enable Editing” and then the “Enable Content” button, which will cause the malicious macros to execute.
Analyst Notes
Binary Defense threat researchers are active contributors to the Cryptolaemus group—a collective of researchers who fight against Emotet, which is considered the most widely spread malware that targets users today. The most up-to-date Indicators of Compromise (IoCs) from the group’s combined research can be found at: https://paste.cryptolaemus.com/. Enterprise defenders should automate a daily task to consume the IoC list and use it for detecting Emotet campaigns. Individuals should try to recognize these malicious documents to keep from being infected. Do not automatically trust any Word or Excel document that comes from an external sender and which contains macros, embedded objects or any active content. When an email is received that states a program should be updated, the user should ask IT staff to perform the update, use the built-in Windows update program, or go directly to the program’s website to get the update. In addition to educating employees about the dangers of active content in Office documents, companies should deploy Endpoint Detection and Response (EDR) tools and have staff monitoring alerts 24 hours a day to catch any attacks that trick employees into running them, and stop intrusions in the early stages, before serious damage can be done. Binary Defense provides Managed Detection and Response (MDR) as well as managed SIEM monitoring and threat hunting services to stop attacks, no matter when they happen.
Source Article: https://www.bleepingcomputer.com/news/security/emotet-malware-now-wants-you-to-upgrade-microsoft-word/
