Emotet is back.
N2K logoMar 9, 2023

The Emotet malware has been seen active once again, distributing emails in a campaign this week.

Emotet is back.

Bleeping Computer writes that the Emotet malware has been observed sending emails once again. Some Microsoft security changes have been effective in targeting Emotet attacks.

Emotet botnet out of hibernation.

Cybersecurity firm Cofense reports that malicious activity from Emotet was observed beginning again on Tuesday morning. Cofense told Bleeping Computer that the campaign resumed at 7:00AM EST, saying “Volume remains low at this time as they continue to rebuild and gather new credentials to leverage and address books to target.”

The emails in the newer campaign purport to be invoices, rather than reply chain emails. Inside the invoice attachment lies a document with Emotet’s “Red Dawn” template that prompts users to enable content and editing. If a user enables the editing, a slew of macros will download the Emotet loader and allow it to run in the background. This could potentially lead to more dropped payloads, researchers say.

Microsoft’s security changes have an impact.

Bleeping Computer writes that in July 2022 Microsoft disabled macros by default in Microsoft Office documents. Therefore, if the documents are opened, a security risk message will pop up making the user aware of the disabled macros due to an untrusted file source. This change affects both attachments downloaded from the Internet, as well as attachment saved from emails, explained ANALYGENCE senior vulnerability analyst Will Dormann to the outlet.

Expert assessment and recommendations in defense against Emotet.

OneSpan Field CTO Will LaSala has been keeping a close eye on the evolution of Emotet campaigns, and highlights the importance of app shielding and risk management tools:

“Emotet is a dangerous mobile malware variant. It attacks many organizations and hopes to steal credentials and PII from unsuspecting users. These mobile malware variants are designed to attack specific organizations and markets, such as the financial space. Mobile malware is ever changing and can change quickly and be redeployed to attack new verticals in a moment’s notice. 

“With such a fast paced mobile malware world, it is important for organizations to leverage technologies such as app shielding that can be used to prevent an attack before it can be targeted. Organizations should also employ strong risk management tools with artificial intelligence and machine learning that can detect threats as they occur and then can ensure that your applications can react to those increased threats. Applications should be able to add strong authentication when new or additional risk is detected.”