- Cybersecurity experts announced that Emotet is once again after a 5 months break and sending spam emails worldwide to find new victims.
- Experts are warning users about the attached XLS files and zipped and password-protected XLS, which is the most common method Emotet use.
- The Excell files instruct users to copy the file into the Templates folder to be able to bypass Microsoft Office’s Protected View before downloading the malware.
Researchers stated that the Emotet malware operation is once again spamming malicious emails after 5 months of silence. It was one of the most widespread malware then it stopped its operations suddenly on the 13th of June. Emotet spreads malware infection with phishing campaigns that use Excel or Word documents.
Active after 5 months
When a user opens the Excell or Word documents and enables macros, it downloads Emotet DLL and loads it into memory. Emotet not only searches and steals emails to further extend its spam campaigns, but it also drops payloads like Cobalt Strike or other malware, which may lead to ransomware attacks.
Research group Cryptolaemus stated that on November 2nd, the Emotet operation became active once again and started spamming emails globally. According to the user reports uploaded to VirusTotal, malicious files are being sent to users worldwide with various languages and file names. Most of these files are pretending to be invoices, scans, electronic forms, or other documents.
🚨Emotet back in Distro Mode🚨 – As of 0800 UTC E4 began spamming and as of 0930 UTC E5 began spamming again. Looks like Ivan is in need of some cash again so he went back to work. Be on the lookout for direct attached XLS files and zipped and password protected XLS. 1/x
— Cryptolaemus (@Cryptolaemus1) November 2, 2022
Microsoft adds a Mark-of-the-Web flag to the files when it is downloaded from the Internet. When it is opened by the user, it will be opened in Protected View, which prevents macros to install malware and execute malware. But the latest version of Emotet Excel files are instructing users to copy the file into the trusted Templates folders, which enables malware to bypass the Protected View. However, Windows still warns the users and asks for the administrator’s permission to do that. If the user opens the attachment from the Templates folders, it executes the macros that will download the malware.