Earlier in the month, it has been noticed that Emotet has switched to a new template pretending to be messages from Microsoft office stating that Microsoft Word needs to be updated to add a new feature.
Emotet is a malware infection that spreads through emails containing word documents embedded with malicious macros. The contents of these documents when opened will try and trick the user into enabling the macros so that the emotet malware will be downloaded and installed on the user’s computer.
Post-installation, the malware utilizes the host computer to spread spam emails and ultimately install other malware that could eventually lead to a ransomware attack on the network of the victim.
A variety of tricks are employed by the Emotet campaign luring the victims into opening an attachment, such as pretending to be invoices, shipping notices, resumes, or purchase orders, or even COVID-19 information.
A malicious version of a word document (.doc) is attached to these spam emails or a link to download one is included within the mail.
When this attachment is opened by the user, it displays as “Enable Content” prompt so that the malicious macro will run in the background to install the Emotet malware on the victim’s computer.
Emotet uses various designs, or document templates, to trick users into enabling the macros. These tricks can look like a warning to the users.
The new template from Emotet prompts users to update their version of Microsoft word so that a new feature can be added.
Upgrade your edition of Microsoft Word
Upgrading your edition will add new feature to Microsoft Word.
Please click Enable Editing and then click Enable Content.
The document tells the user to click on the Enable Editing and then the Enable Content button, to upgrade the Microsoft Word. However, this will cause the malicious macros to execute.
The Emotet malware will be downloaded and installed by the malicious macro into the %LocalAppData% folder as displayed below.
<Emotet malware installed in Windows>
Why is recognizing Emotet necessary?
Emotet is being considered as one of the most widely spread malware in the current era. It is particularly perilous since it is capable of installing other infections such as the Trickbot and QBot malware onto a victim’s computer.
When installed, these new infections like Trickbot and QBot will attempt to steal stored passwords, bank information, and assorted other information, while commonly leading to Conti or ProLock ransomware attacks.
Consequently, it is vital for all users to recognize malicious document templates used by Emotet so that no one becomes an accidental victim to spread its malice within and across the network.
To read more, please check eScan Blog