New Ransomware Variant Disguises itself as “Windows Update” attachment

Show all

Important Security Update:

A well-known variant of Ransomware known as the ‘Emotet botnet‘ has changed the way it’s distributing its payload. Recent reports from the Cyber-security world indicate it has begun to use a new malicious attachment that pretends to be a message from Windows Update telling you to upgrade Microsoft Word.

Emotet has been around for a while and is generally well known in the IT world, however, there is no silver bullet to prevent all ransomware attacks. Emotet typically spreads through spam emails containing malicious Word or Excel documents. These documents utilize macros to download and install the Emotet Trojan on a victim’s computer, which uses the computer to send spam email and ultimately leads to a ransomware attack on a victim’s network.

The Emotet malware has been relatively dormant recently, until it made a return to operation on October 14th. Cyber-security firms have noticed an increase in spam related to Emotet malware. These spam campaigns pretend to be invoices, shipping information, COVID-19 information, information about President Trump’s health, resumes, or purchase orders. Attached to these spam emails are malicious Word (.doc) attachments or links to download one. When opened, these attachments will prompt a user to ‘Enable Content’ so that malicious macros will run to install the Emotet malware on a victim’s computer. Most Office installations have Macros disabled by default, but to trick users into enabling the macros, Emotet uses various document templates, including pretending to be created on iOS devices, Windows 10 Mobile, or that the document is protected.

With its return to activity, Emotet switched to a new template that pretends to be a message from Windows Update stating that Microsoft Word needs to be updated before the document can be viewed:

Once a user clicks on the ‘Enable Editing’ and ‘Enable Content’ the malicious macros will download and install the Emotet malware on a victim’s computer.

Emotet is considered one of the most widely spread malware variants targeting users today. It is also particularly dangerous as it installs other malware variants such as Trickbot and QBot onto a victim’s computer. While these two malware variants perform malicious activity on their own, such as stealing stored passwords, banking information, and assorted other information, they also commonly lead to further ransomware attacks. Due to the multi-layered threat that this contains, it is vital to recognize the malicious document templates used by Emotet so that you do not accidentally become infected.

Won’t my Anit-Virus Program Stop This?

Not necessarily. Because you’re authorizing Microsoft Word to perform an action that is technically legitimate, such as Enabling Content for Macros, often AV programs will ignore this. Your best defence against this attack is a multi-layered approach that consists of the following:

  1. User Education: Share this article with your staff so they understand what to look for and the risks associated.
  2. Use a fully managed threat detection solution such as https://partek.ca/mtr
  3. Keep your network secure with up to date firewalls with an active security subscription
  4. Backup any computer on your network that you consider important. In the event of a Ransomware attack, simply restore the computer to its original state.
  5. Ensure you have a Business Continuity Plan in place and consider utilizing a full BCDR Solution https://partek.ca/bcdr/
SUPPORT