Emotet is Back Again Using New Lure Text in the Documents

Delaware, USA – January 14, 2020 – Emotet malware finished its winter vacation, and immediately after returning to service launched spam campaigns targeting 80+ countries. This time, the Emotet operators went on vacation shortly before Christmas, on December 21, but unlike the summer break, the command-and-control infrastructure continued functioning. Three weeks later, on Monday morning, January 13, the botnet was back on track focusing on targets in the United States. Perhaps the “traditional” lure emails created using exfiltrated subjects and bodies via email harvesting module are not suitable for the Holiday Season and it is easier to rest for several weeks than to reconfigure the whole monstrous botnet.

Cybercriminals continue to use not only reply-chain attacks but also regular spam emails pretend to be various reports. Emails can contain malicious links or the attached document. In all detected campaigns, malicious documents contain new lure messages: “This document only available for desktop or laptop versions of Microsoft Office Word. To open the document, follow these steps: Click Enable editing button from the yellow bar above, Once you have enabled editing, please click Enable content button.” Documents contain a macro that downloads and installs Emotet malware.

Content to detect this malware available on Threat Detection Marketplace:
Emotet Trojan detector (Sysmon) – https://tdm.socprime.com/tdm/info/Dg6aXfaxOLWX/
Emotet Process Creation – https://tdm.socprime.com/tdm/info/9U8NXanTx6TC/