The zip attachment contains an exe file: the malware itself. Stolen data is exfiltrated via SMTP.
Malware Hunter JAMESWT Technical Analysis
Second Emotet campaign via real stolen email conversation. The xls directly contacts an internal list of URLs and downloads the dll, starting the malware infection
There is a second Emotet campaign in circulation, which uses a real stolen email conversation.
The mechanism is always the same: the attachment contacts an internal list of URLs and downloads the dll, starting the malware infection.
The difference, however, is precisely in the attachment. It is no longer contained in a password-protected zip file, but is a “clear” xls. Emotet is a banking Trojan used by cybercrime, to which modules have been added over time that allow it to steal the passwords stored in the victims’ software, infect other computers connected to the same botnet and reuse emails for subsequent spam campaigns.