The operators of Emotet banking trojan are actively looking for new ways to lure their victims. Emotet, the Windows-specific banking trojan, has been adopting new tricks, often involving Microsoft productivity tools (such as Microsoft Office 365) or Windows OS related messages or alerts.
Observations
Recently, Emotet operators have switched to a new template related to Microsoft Office to gain the trust of their potential targets.
• Hackers are using this new trick to send out fake update notification via malicious email camouflaged as a message from the Microsoft Office team.
• Upon opening the attached document, users see a message asking the user to click on ‘Enable Editing’ to update their Microsoft Word to add a new feature. When clicked, the macros will download and install Emotet malware.
• Emotet further infects the system with more malware, possibly TrickBot, QBot, Conti, and ProLock.
Recent Incidents
In the past few months, a huge surge has been observed in the Emotet malware campaigns, which made this malware one of the top threats.
• A few days ago, Emotet malware was seen using fake Windows Update templates to deliver malware payloads.
• Thousands of emails mimicking Democratic Party-related messaging were observed, asking people to volunteer for the party before upcoming elections.
Mitigation
At the beginning of the month, a new service called Have I Been Emotet was launched by the Italian cybersecurity company TG Soft, which could detect if any domain name or email address was used during any Emotet campaigns.
Conclusion
Emotet operators have been continuously changing their attack tactics and coming up with new ways to lure victims. Therefore, experts recommend strict policies such as security control over incoming emails and implementing group policy objects. Moreover, organizations need to regularly train their employees with awareness programs and trends to ensure the complete security of the organizational networks.