The Emotet botnet has returned with a venegeance

After a five-month break, Emotet is back to distributing malware

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

The dreaded Trojan Emotet is back after a five-month hiatus, kicking off a furious newmalwaredistribution campaign, researchers are warning.

Researchers from Cryptolaemus, a group that tracks Emotet, observed the threat actor suddenly come to life and spam email addresses worldwide with phishingemails, in the early morning of November 2.

“Looks like Ivan is in need of some cash again so he went back to work. Be on the lookout for direct attached XLS files and zipped and password protected XLS,” the group warned in aTwitter thread.

Weaponized Office files

As usual, the campaign revolves around weaponized Office documents, in this particular case - Excel files carrying malicious macros.

The threat actor hijacks existing email chains, using the reply feature to distribute the document. There are a few notable changes to how the trick works, though, asMicrosofthas recently disabled macros by default, and requires admins to specifically allow the feature to run.

Furthermore, Windows now adds the Mark-of-the-Web (MoTW) flag to all files downloaded from the internet. When opened, MoTW flagged files will display a message saying they were downloaded from an insecure location and that they can only be opened in Protected View, to protect the users from accidentally running a malicious macro.

Emotet is still the world’s worst malware - but maybe not for long>Google Chrome user profiles under attack from Emotet malware>Here’s our take on the best ID theft protection tools right now

That has prompted the criminals to add a specific message to the file, mimicking Excel’s security warning (the yellow horizontal bar above the content) and saying that, in order to run the file, it needs to be placed in the Office’s Templates folder.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

All files run from the Templates folder automatically run macros. Indeed, it’s not that easy to add files to that specific folder, as Windows requests admin permission, but chances are - many victims will ignore these obvious red flags.

So far, Emotet is sitting dormant on compromisedendpoints, so the researchers can’t determine what kind of campaign it’s being used for. In the past, Emotet was used to drop Cobalt Strike beacons, TrickBot malware, and others.

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Windows PCs targeted by new malware hitting a vulnerable driver

Dangerous Android banking malware looks to trick victims with fake money transfers

Apple iMac 24-inch M4 (2024) review: the best, and most colorful, all-in-one computer levels up