In today’s security landscape, the Emotet attack is one of the biggest sources of malspam. This is a term used to describe emails that deliver malware attachments.
These malspam campaigns are absolutely crucial for Emotet operators. They are the basis that underlies the botnet, feeding new victims to the Emotet machine. This is an evolution of Malware as a Service (MaaS) which is leased to other criminal groups.
Emotet, malware as a service
To prevent security companies from detecting emails as “malicious” or “spam,” the Emotet group regularly changes the way these emails are delivered and the appearance of attachments.
Emotet operators modify the subject lines of the email, the text in the body of the email, the type of attachment. But also the content of the attachment, which is just as important as the rest of the email.
This is because users who receive the malspam Emotet have to go through a process. In addition to reading the email and opening the file, they still need to authorize the file to run macros. Office macros are only executed after the user presses the “Activate Editing” button displayed in an Office file.
Over the years, Emotet has developed a collection of Office documents. They use a wide variety of “bait” to convince users to click on the “Activate Edit” button.
Attachments sent in recent campaigns display a message claiming to be from the Windows Update service. Inform users that the Office application needs to be updated. Of course, this has to be done by clicking the Activate Edit button.
According to this report, on some infected hosts, Emotet installed the TrickBot Trojan. This confirms a ZDNet report earlier this week that the TrickBot botnet survived a recent takedown attempt by Microsoft and its partners.