Exactly one week ago, Emotet, one of the most dangerous threats to organizations in the last year, resumed its malicious spam campaigns after several months of inactivity. Based on our telemetry, we can see that the botnet started becoming chatty with its command and control servers (C2), about a week or so before the spam came through.
Figure 1: Communications with Emotet C2s over 90 days
To kick off its spam campaign last week, Emotet resumed spear phishing tactics it adopted in late spring 2019, hijacking old email threads with personalized subject lines and appearing as old invoices.
This week, Emotet is trying a different tactic, incorporating the news about NSA whistleblower Edward Snowden’s new book Permanent Record as a lure. The memoir, which is already on Amazon’s bestseller list, has been the subject of intense debates. In addition, the US government is also suing Snowden for violating non-disclosure agreements and publishing without prior approval.
Criminals are known to capitalize on newsworthy events for scams and other social engineering purposes. In this particular case, Emotet authors are supposedly offering Snowden’s memoir as a Word attachment. We collected emails from our spam honeypot in English, Italian, Spanish, and German claiming to contain a copy of Snowden’s book in Word form.
Upon opening the document, a fake message that “Word hasn’t been activated” is displayed to victims who are prompted to enable the content with a yellow security warning. Once they do, nothing appears to happen. However, what users don’t see is the malicious macro code that will execute once they click on the button.
Figure 3: Fake document containing macro codeThe macro triggers a PowerShell command that will retrieve the Emotet malware binary from a compromised WordPress site. After infection, the machine will attempt to reach out to one of Emotet’s many C2s:
Figure 4: Network traffic upon infection
As each new week rolls in, the threat actors behind Emotet are always punctual with delivering their spam messages, thanks to their large botnet. And once they’ve spammed and infiltrated an endpoint, their work is far from over. As we’ve said before, Emotet is a double or even triple threat if it is not quarantined right away.
Follow up payloads, such as TrickBot and Ryuk ransomware are those that can truly cripple any business that is not prepared.
Malwarebytes business users and Premium home users are already protected against this threat.
Indicators of Compromise (IOCs)
Malicious Word document
Emotet C2: 18.104.22.168:7080/chunk/window/ringin/
Emotet C2: 133.130.73[.]156
Emotet C2: 178.32.255[.]133
The post Emotet malspam campaign uses Snowden’s new book as lure appeared first on Malwarebytes Labs.
Powered by WPeMatico