At least one cybercriminal group distributing the Emotet Trojan has started using a new tactic to infect end users with the malware. The malware is now being delivered using XML files disguised as Word documents, with the malware installed via embedded macros.
The Emotet Trojan is one of the most rapidly evolving malware variants. The malware is regularly updated with new functions and the methods used to distribute the malware and evade detection are in a constant state of flux.
The latest change in tactics was detected by researchers at Menlo Security who noted that rather than using Word documents with malicious macros, the campaign involves XML files with.doc extensions. Most security software solutions will identify the file as an XML file, but around 10% of attacks were not detected by standard AV software.
If the emails are delivered and the file attachment is opened by end users, Word will be launched and the attack will progress as in previous campaigns. The change in tactics is believed to be an attempt to avoid sandboxes, according to Menlo.
A wide range of companies have been targeted in the past four weeks although the threat actors are primarily concentrating on healthcare organizations. 32.5% of detected attacks have been on healthcare companies, including hospitals and physician’s offices. Attacks are occurring at a rate of around 15 per day. Consumer product companies are also being targeted and account for 22.5% of attacks.
Emotet is the most commonly used Trojan and accounts for 76% Trojan attacks and more than 55% of all malicious payloads. While the malware was initially developed as a banking Trojan, it now has the capability to download other malware variants and has been paired with a range of other malware types including ransomware and information stealers.
Part of its success is the regular redevelopment of the malware to evade security solutions. Robust email security defenses are essential to block attacks, along end user training the reduce the probability of the malicious emails and attachments being opened by end users.