CIRT.GY | malware”s new “Windows Update” attachment (22nd O

malware”s new “Windows Update” attachment (22nd October 2020)

Ref# Emotet | Date: Nov 16th 2020

Description

Emotet is a malware that is spread through spam emails. These emails contain malicious Word or Excel document attachments.

Summary

Analysts notice that the Emotet malwares new method is designed to trick users into enabling macros to download and install the Emotet Trojan.This is done by pretending to be a message from Windows Update stating that the Microsoft Word application needs to be updated before the attached document can be viewed. After tricking the user, the malware then uses the victims computer to send spam emails.

How does it work

The malware works by first sending spam emails that contain either a Word document attachment or a download link to victims. They will then be prompted to enable content that allows macros to run on their device. Once installed, the malware then tries to steal sensitive data, which acts like a worm spreading to other devices. It keeps updating the way it delivers these malicious attachments and the appearance changes as well, such attachments are the email subject and the body of the message. It is always updating or changing itself to avoid being detected by anti-malware programs. Emotet can also be used to deliver other malicious code, such as Trickbot and QBot Trojan or ransomware such as Conti (TrickBot) or ProLock (QBot).

Tips to protect yourself from Emotet:

Keep your Application programs (OS, browsers, add-ons, email client, office, PDF etc.) updated.
Have a full version of a virus protection program install on your device and scan your device regularly.
Do not download suspicious attachment from emails or click on suspicious links.
Back up your data regularly to an external storage device. In the event of an infection, you will always have a backup to fall back on.
Conduct awareness training with employees to identify suspicious emails.

The Guyana National CIRT recommends that users and administrators review this alert and the remediation strategies and apply them where necessary.

References

Emotet malware”s new “Windows Update” attachment. Retrieved from Kaspersky:

https://usa.kaspersky.com/resource-center/threats/emotet

Lawerence Abrams (18th October 2020) Watch out for Emotet malware”s new “Windows Update” attachment. Retrieved from Bleepincomputer: https://www.bleepingcomputer.com/news/security/watch-out-for-emotet-malwares-new-windows-update-attachment/
Microsoft Security Intelligence- Emotet (23rd July 2020). Retrieved from Microsoft:

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=win32/emotet

Luke Irwin (18th September 2020) Emotet is back: How to stop the most destructive malware in existence. Retrieved from IT Governance Blog

https://www.itgovernance.co.uk/blog/emotet-how-to-stop-the-most-destructive-malware-in-existence