Reversing Labs cybersecurity experts: Who opened the malicious Word attachment is required to make multiple, additional clicks to activate the embedded malware.
Bleeping Computer: Emotet is back with a new worldwide campaign
Emotet is back. After five months of inactivity, the well known malware has emerged again in a massive campaign of malicious emails targeting users worldwide. According the Bleeping Computer cyber security experts, limited activity was seen earlier the last week, but the included malicious documents were utilizing old URLs. Emotet expert Joseph Roosen stated that the botnet is now spewing forth massive amounts of spam, and the malicious documents are using new URLs that are commonly hacked WordPress sites. One of the spam emails shared hby Binary Defense is a reply-chain template that pretends to be a shipping document from loomis-express.com. Confense Labs also told that the predominant template that they are seeing has a subject of ‘Jobs GO’, and quite a few using a ”Expedia Payment Remittance Advice” or requests for W-9 templates.
The cyber security experts: The cybercrime uses a new mail template, and the malware deploys further modules that steal a victim’s mail, spread to other computers, or use send spam
According the cyber security experts, the attached Word documents use a new template that tells the user it cannot be opened properly as it was created on iOS. It then has a mistake in the template where it states to ‘Enable Edition’ rather than ‘Enable Editing.’ Moreover, this new document template has not been used before in past Emotet cybercrime campaigns. This ultimately led to the trojan being stored as %UserProfile%\AppData\Local\dwmapi\certmgr.exe. An autorun Registry key will also be created at HKCU\Software\Microsoft\Windows\CurrentVersion\Run to start the Emotet trojan when Windows starts. Once the malicious code is running, it will deploy further modules that steal a victim’s mail, spread to other computers, or use the infected computer to send spam.