The doc attachment contacts a link, exploiting the Equation Editor vulnerability, and downloads an exe: the malware. Data is then exfiltered via SMTP to an email address.
Emotet is back in Distro Mode. Cryptolaemus cybersecurity experts detect that Epoch 4 and 5 began spamming again. Malware infections passes by direct attached XLS files and zipped-password protected XLS
Emotet is back in Distro Mode, Cryptolaemus cybersecurity experts denounced it, detecting that Epoch 4 and 5 began spamming again. The actual infection vector are direct attached XLS files and zipped and password protected XLS in stolen email, armed with malicious macros. According to the Italian CERT-AgID, dropurls used by the macro, partially readable directly from the XLS file, aim for the download of the usual malware DLL (64bit), that is executed using the classic regsvr32 command. Moreover, the C2 detected are 58 and, from a sample comparison with previous campaigns, almost all IPs have already been used in the EPOCH4 botnet.