The bait is a shipping receipt, attached as an .xlsm file. This, if opened, contacts a random link from an internal list and downloads a DLL, which starts malware infection.
Technical analysis by the Malware Hunter JAMESWT
Emotet, after a period of pause, returns to attack Italy with a new campaign that uses real stolen email conversations
Emotet, after a pause, returns to hit Italy with a new campaign that takes advantage of real stolen email conversations. The messages contain a .doc file that contacts the first available url from a list inside it. If this doesn’t respond, move on to the next until it gets a positive result. Objective: to download the malware from one of the three Epoch botnet. This is a banking Trojan to which cybercrime actors have over time added modules that allow it to steal passwords stored in the victims’ software, infect other computers connected to the same network and reuse emails for subsequent spam campaigns.
Examples of real stolen email conversations used to spread Emotet
The .doc attachments, that contact the first available url from a list inside them
The links on Epoch botnets, contacted by attachments to download malware