The Emotet botnet has returned with a venegeance

News
By published

After a five-month break, Emotet is back to distributing malware

Illustration of a laptop with a magnifying glass exposing a beetle on-screen
(Image credit: Shutterstock / Kanoktuch)

The dreaded Trojan Emotet is back after a five-month hiatus, kicking off a furious new malware distribution campaign, researchers are warning.

Researchers from Cryptolaemus, a group that tracks Emotet, observed the threat actor suddenly come to life and spam email addresses worldwide with phishing emails, in the early morning of November 2.

“Looks like Ivan is in need of some cash again so he went back to work. Be on the lookout for direct attached XLS files and zipped and password protected XLS,” the group warned in a Twitter thread

Weaponized Office files

As usual, the campaign revolves around weaponized Office documents, in this particular case - Excel files carrying malicious macros. 

The threat actor hijacks existing email chains, using the reply feature to distribute the document. There are a few notable changes to how the trick works, though, as Microsoft has recently disabled macros by default, and requires admins to specifically allow the feature to run. 

Furthermore, Windows now adds the Mark-of-the-Web (MoTW) flag to all files downloaded from the internet. When opened, MoTW flagged files will display a message saying they were downloaded from an insecure location and that they can only be opened in Protected View, to protect the users from accidentally running a malicious macro.

Read more

> Emotet is still the world's worst malware - but maybe not for long

> Google Chrome user profiles under attack from Emotet malware

> Here's our take on the best ID theft protection tools right now

That has prompted the criminals to add a specific message to the file, mimicking Excel’s security warning (the yellow horizontal bar above the content) and saying that, in order to run the file, it needs to be placed in the Office’s Templates folder.

All files run from the Templates folder automatically run macros. Indeed, it’s not that easy to add files to that specific folder, as Windows requests admin permission, but chances are - many victims will ignore these obvious red flags. 

So far, Emotet is sitting dormant on compromised endpoints, so the researchers can’t determine what kind of campaign it’s being used for. In the past, Emotet was used to drop Cobalt Strike beacons, TrickBot malware, and others. 

Via: BleepingComputer

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Illustration of a laptop with a magnifying glass exposing a beetle on-screen
Microsoft Outlook targeted by new malware attacks allowing sneaky hijacking
Russian flag on a laptop
Hackers are using Russian domains to launch complex document-based phishing attacks
linkedin
Watch out - that LinkedIn email could be a fake, laden with malware
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
A new Microsoft 365 phishing service has emerged, so be on your guard
Shutterstock.com / kanlaya wanon
Microsoft Teams abused in Russian email bombing ransomware campaign
Fraud
Hackers are tricking victims into scam-yourself attacks with fake tutorials, CAPTCHAs, and updates
Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
Super Mario Odyssey
ChatGPT is the ultimate gaming tool - here's 4 ways you can use AI to help with your next playthrough
Brad Pitt looks over his right shoulder with 'F1' written behind him
Apple Original Films will take you behind-the-scenes of a racing cockpit in this new thrilling F1 movie trailer
AI writer
Coding AI tells developer to write it himself
Reacher looking down at another character from the Prime Video TV series Reacher
Reacher season 3 becomes Prime Video’s biggest returning show thanks to Hollywood’s biggest heavyweight
Finger Presses Orange Button Domain Name Registration on Black Keyboard Background. Closeup View
I visited the world’s first registered .com domain – and you won’t believe what it’s offering today
Image showing detail of the Leica D-Lux 8
Still can't get a Fujifilm X100VI? This premium Leica compact costs less, and it's in stock
More about security
Data Breach

Thousands of healthcare records exposed online, including private patient information
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.

AI agents can be hijacked to write and send phishing attacks
A hand reaching out to touch a futuristic rendering of an AI processor.

Researchers want to embrace Arm's celebrated paradigm for a universal generative AI processor; a puzzling MEGA.mini core architecture

See more latest
Most Popular
A hand reaching out to touch a futuristic rendering of an AI processor.
Researchers want to embrace Arm's celebrated paradigm for a universal generative AI processor; a puzzling MEGA.mini core architecture
Finger Presses Orange Button Domain Name Registration on Black Keyboard Background. Closeup View
I visited the world’s first registered .com domain – and you won’t believe what it’s offering today
Super Mario Odyssey
ChatGPT is the ultimate gaming tool - here's 4 ways you can use AI to help with your next playthrough
Nokia 5G 360 Camera
This is the world's first 8K 5G 360 degrees camera - and it is also weatherproof
AI writer
Coding AI tells developer to write it himself
Data Breach
Thousands of healthcare records exposed online, including private patient information
Brad Pitt looks over his right shoulder with 'F1' written behind him
Apple Original Films will take you behind-the-scenes of a racing cockpit in this new thrilling F1 movie trailer
Google Messages update
Google Messages could soon follow WhatsApp with an upgrade that makes it much easier to join group chats
Reacher looking down at another character from the Prime Video TV series Reacher
Reacher season 3 becomes Prime Video’s biggest returning show thanks to Hollywood’s biggest heavyweight
Nvidia RTX 6000
Details of Nvidia's fastest video card ever leak; RTX Pro 6000 Blackwell GPU will have 96GB GDDR7 ECC memory