>
The dreaded Emotet Trojan is back after a five-month hiatus that has sparked a furious new malware distribution campaign, researchers warn.
Researchers at Cryptolaemus, a group that tracks Emotet, saw the threat actor suddenly come to life in the early morning of Nov. 2, spamming email addresses worldwide with phishing emails.
“Looks like Ivan needs some money again, so he went back to work. Be wary of directly attached XLS files and zipped and password-protected XLS,” the group warned in a statement. Twitter thread (opens in new tab).
Armed Office Files
As usual, the campaign revolves around weaponized Office documents, in this particular case – Excel files with malicious macros.
The threat actor hijacks existing email chains and uses the reply function to distribute the document. However, there are a few notable changes to how the trick works, as Microsoft recently disabled macros by default and requires administrators to specifically make the feature work.
In addition, Windows now adds the Mark-of-the-Web (MoTW) flag to all files downloaded from the Internet. When opened, MoTW-marked files will display a message stating that they have been downloaded from an insecure location and can only be opened in Protected View to protect users from accidentally running a malicious macro.
That prompted the criminals to add a specific message to the file, mimicking Excel’s security warning (the yellow horizontal bar above the contents) and saying that, in order to run the file, it’s in the folder Templates from Office must be posted.
All files run from the Templates folder automatically run macros. It is indeed not that easy to add files to that particular folder as Windows asks for administrator rights, but chances are – many victims will ignore these obvious red flags.
So far, Emotet is dormant on compromised endpoints (opens in new tab), so the researchers can’t determine what kind of campaign it’s used for. In the past, Emotet was used to drop Cobalt Strike beacons, TrickBot malware, and others.
Through: BleepingComputer (opens in new tab)