Emotet malware's new 'Windows Update' attachment (22nd October 2020)

Description

Emotet is a malware that is spread through spam emails. These emails contain malicious Word or Excel document attachments. 

Summary

Analysts notice that the Emotet malware’s new method is designed to trick users into enabling macros to download and install the Emotet Trojan.This is done by pretending to be a message from Windows Update stating that the Microsoft Word application needs to be updated before the attached document can be viewed. After tricking the user, the malware then uses the victim’s computer to send spam emails.

How does it work

The malware works by first sending spam emails that contain either a Word document attachment or a download link to victims. They will then be prompted to enable content that allows macros to run on their device. Once installed, the malware then tries to steal sensitive data, which acts like a worm spreading to other devices. It keeps updating the way it delivers these malicious attachments and the appearance changes as well, such attachments are the email subject and the body of the message. It is always updating or changing itself to avoid being detected by anti-malware programs. Emotet can also be used to deliver other malicious code, such as Trickbot and QBot Trojan or ransomware such as Conti (TrickBot) or ProLock (QBot).

Tips to protect yourself from Emotet:

  • Keep your Application programs (OS, browsers, add-ons, email client, office, PDF etc.) updated.
  • Have a full version of a virus protection program install on your device and scan your device regularly.
  • Do not download suspicious attachment from emails or click on suspicious links.
  • Back up your data regularly to an external storage device. In the event of an infection, you will always have a backup to fall back on. 
  • Conduct awareness training with employees to identify suspicious emails. 

The Guyana National CIRT recommends that users and administrators review this alert and the remediation strategies and apply them where necessary.

References

  • Emotet malware's new 'Windows Update' attachment. Retrieved from Kaspersky:

          https://usa.kaspersky.com/resource-center/threats/emotet

           https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=win32/emotet

  • Luke Irwin (18th September 2020) Emotet is back: How to stop ‘the most destructive malware’ in existence. Retrieved from IT Governance Blog

          https://www.itgovernance.co.uk/blog/emotet-how-to-stop-the-most-destructive-malware-in-existence