In today's cyber security landscape, the Emotet botnet is one of the largest sources of malspam - a term used to describe emails that provide malicious attachments.
These malspam campaigns are absolutely vital for Emotet operators.
It is the base that bots the botnet, feeding new victims to the machine called Emotet - a Malware-as-a-Service company (MaaS) rented to other criminal groups.
To prevent their emails from being picked up and marked as "malicious" or "unwanted", the Emotet team regularly changes the way these messages are delivered and the way they are displayed. attachments.
Emotet operators change the subject matter of the emails, the text of the emails, the type of attachments, but also the contents of the attachment, which is just as important as the rest of the emails.
This is because users receiving Emotet malspam, in addition to reading the email and opening the file, must allow the file to run automatically scripts called "macros". Office macros run after the user clicks the "Enable Editing" button that appears inside a file Office.
Cheating users to enable editing is just as important to malware operators as designing their email templates, malware or infrastructure. backend of the botnet.
Over the years, Emotet has developed a collection of Office documents that use a wide variety of "lures" to persuade users to do click in the "Enable Editing" button.
But this week, Emotet is back with a new lure of documents.
Attachments sent to recent Emotet campaigns show a message claiming to be from Windows Update, telling users that Office must be running be informed. Of course, this must be done by clicking the Enable Editing button.
According to an update from the Cryptolaemus team, these Emotet lures have "spammed" users around the world.
According to this report, to some infected hosts, Emotet installed the TrickBot trojan, confirming a ZDNet report released earlier this week that the TrickBot botnet survived a recent removal attempt by Microsoft and its partners.
These trapped documents are emailed with fake IDs, which appear to come from known and business partners.
In addition, Emotet often uses a technique called "conversation hijacking", through which it steals email threads from infected hosts, inserts itself into the thread with a reply representing one of the participants and adds the Office attachments.
The technique is difficult to detect, especially among users who work with professional email on a daily basis, and this is why Emotet very often manages to infect corporate or government networks.