Wednesday, October 21, 12:13
Home security Emotet: New campaigns represent emails for Windows Update

Emotet: New campaigns represent emails for Windows Update

In today's cyber security landscape, the Emotet botnet is one of the largest sources of malspam - a term used to describe emails that provide malicious attachments.

These malspam campaigns are absolutely vital for Emotet operators.

It is the base that bots the botnet, feeding new victims to the machine called Emotet - a Malware-as-a-Service company (MaaS) rented to other criminal groups.


To prevent their emails from being picked up and marked as "malicious" or "unwanted", the Emotet team regularly changes the way these messages are delivered and the way they are displayed. attachments.

Emotet operators change the subject matter of the emails, the text of the emails, the type of attachments, but also the contents of the attachment, which is just as important as the rest of the emails.

This is because users receiving Emotet malspam, in addition to reading the email and opening the file, must allow the file to run automatically scripts called "macros". Office macros run after the user clicks the "Enable Editing" button that appears inside a file Office.

Cheating users to enable editing is just as important to malware operators as designing their email templates, malware or infrastructure. backend of the botnet.

Over the years, Emotet has developed a collection of Office documents that use a wide variety of "lures" to persuade users to do click in the "Enable Editing" button.

But this week, Emotet is back with a new lure of documents.

Attachments sent to recent Emotet campaigns show a message claiming to be from Windows Update, telling users that Office must be running be informed. Of course, this must be done by clicking the Enable Editing button.

According to an update from the Cryptolaemus team, these Emotet lures have "spammed" users around the world.

According to this report, to some infected hosts, Emotet installed the TrickBot trojan, confirming a ZDNet report released earlier this week that the TrickBot botnet survived a recent removal attempt by Microsoft and its partners.

These trapped documents are emailed with fake IDs, which appear to come from known and business partners.

In addition, Emotet often uses a technique called "conversation hijacking", through which it steals email threads from infected hosts, inserts itself into the thread with a reply representing one of the participants and adds the Office attachments.

The technique is difficult to detect, especially among users who work with professional email on a daily basis, and this is why Emotet very often manages to infect corporate or government networks.


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.


Cisco: Vulnerability CVE-2020-3118 is used in some attacks

Cisco today warned of some attacks that actively target the high-severity vulnerability CVE-2020-3118, which has been found to affect many routers ...

Google: Chrome patch released for zero-day vulnerability fix

Google yesterday released the new version of Chrome 86.0.4240.111, with security updates, to fix a zero-day vulnerability that, according to ...

Microsoft: Said to Shut Down 94% of TrickBot C&C Servers!

Last week, Microsoft-led cybersecurity companies joined forces to crack down on TrickBot, one of ...

Vulnerabilities in MobileIron MDM servers used by hackers

Government hacking teams and other criminals exploit vulnerabilities in MobileIron MDM servers and gain access to corporate networks.

Albion Online: The forum of the popular online game has been violated!

A popular online role-playing game has revealed that its user forum has been breached, exposing email addresses and encrypted passwords ...

Iranian CEO guilty of conspiracy and breach of US sanctions!

The United States has sentenced the CEO of a financial services company to 23 months in prison for allegedly helping Iranian nationals carry out financial ...

Adobe: Fixes vulnerabilities that affect Windows / macOS apps

Adobe has released security updates to address vulnerabilities that affect many of its Windows and macOS products. These vulnerabilities ...

Pfizer: patient data from the major pharmaceutical industry were exposed

The world-famous pharmaceutical company Pfizer Inc., seems to have suffered a data breach resulting in the information of many of its patients being exposed to ...

Ohio school district suffered data breach!

Cybercriminals broke into a school district of Ohio, gaining access to its system and leaking personal information to the internet ...

Blackbaud: OSF HealthCare reports data breach

As the OSF HealthCare System informed its patients, it is possible that their personal data has been leaked as a result of a violation ...