Emotet malware operators are apparently on a continuous mission of enhancing the notorious malware family. They have recently come up with a new way to target their victims into opening up malicious documents.

Latest discovery

Until some time ago, Emotet botnet campaigns used an iOS-themed document template that informed users that the document was created on iOS, and the user needs to ‘Enable Content’ to view it properly. However, that is not the case anymore.
  • On August 25, 2020, the botnet started using a new template for its malicious Word documents. Researchers named it Red Dawn due to its red accent colors.
  • The Red Dawn template shows the message that the “Document is Protected” and preview is not available. To view the document content, users are urged to click the "Enable Content" button.
  • Clicking on the button will actually execute the macros and install the Emotet malware on the victim’s system. After infecting the system, Emotet malware may deliver other malware, such as Trickbot and QBot, and ransomware such as Conti or ProLock.

Recent news snippets

  • In end-August, TA542 was seen extending its Emotet campaigns to new geographical areas, such as Indonesia, the Philippines, Sweden, and India.
  • TA542 was also found leveraging country-specific local languages and popular topics such as COVID-19 to lure its victims.
  • Despite the detection and use of the kill switch, Emotet attacks rose to prominence (by volume) in July 2020, as per a Check Point report.

Tipping point

Emotet has been continuously updated with enhancements in its tactics of spreading malicious documents, which seems to be one of its favorite attack vectors. Thus, organizations need to be extra careful when dealing with emails containing attachments. The use of email security solutions, such as spam filters and gateways, can greatly reduce the risks related to this threat, experts say.

Cyware Publisher