A well-known variant of Ransomware known as the ‘Emotet botnet‘ has changed the way it’s distributing its payload. Recent reports from the Cyber-security world indicate it has begun to use a new malicious attachment that pretends to be a message from Windows Update telling you to upgrade Microsoft Word.
Emotet has been around for a while and is generally well known in the IT world, however, there is no silver bullet to prevent all ransomware attacks. Emotet typically spreads through spam emails containing malicious Word or Excel documents. These documents utilize macros to download and install the Emotet Trojan on a victim’s computer, which uses the computer to send spam email and ultimately leads to a ransomware attack on a victim’s network.
The Emotet malware has been relatively dormant recently, until it made a return to operation on October 14th. Cyber-security firms have noticed an increase in spam related to Emotet malware. These spam campaigns pretend to be invoices, shipping information, COVID-19 information, information about President Trump’s health, resumes, or purchase orders. Attached to these spam emails are malicious Word (.doc) attachments or links to download one. When opened, these attachments will prompt a user to ‘Enable Content’ so that malicious macros will run to install the Emotet malware on a victim’s computer. Most Office installations have Macros disabled by default, but to trick users into enabling the macros, Emotet uses various document templates, including pretending to be created on iOS devices, Windows 10 Mobile, or that the document is protected.
With its return to activity, Emotet switched to a new template that pretends to be a message from Windows Update stating that Microsoft Word needs to be updated before the document can be viewed:
Once a user clicks on the ‘Enable Editing’ and ‘Enable Content’ the malicious macros will download and install the Emotet malware on a victim’s computer.
Emotet is considered one of the most widely spread malware variants targeting users today. It is also particularly dangerous as it installs other malware variants such as Trickbot and QBot onto a victim’s computer. While these two malware variants perform malicious activity on their own, such as stealing stored passwords, banking information, and assorted other information, they also commonly lead to further ransomware attacks. Due to the multi-layered threat that this contains, it is vital to recognize the malicious document templates used by Emotet so that you do not accidentally become infected.
Won’t my Anit-Virus Program Stop This?
Not necessarily. Because you’re authorizing Microsoft Word to perform an action that is technically legitimate, such as Enabling Content for Macros, often AV programs will ignore this. Your best defence against this attack is a multi-layered approach that consists of the following: