The Emotet Trojan is one of the most widespread forms of malware attack in use at present to try an infiltrate database.
This Trojan is usually broadcasted via spam email campaigns in conjunction with a range of lures to convince users to download the Trojan file. These spam emails are generated by the Emotet botnet – an army of zombie devices that have been infiltrated by the Emotet Trojan. The Trojan takes over the victim’s email account and uses it to send duplicates of itself to the victim’s company contacts using the email addresses in victims’ contacts list.
Emotet emails typically have a corporate theme, since it is company users that are targeted by the Emotet users. Campaigns often use proven phishing lures including fake invoices, purchase orders, shipping notices, and CVs, with the messages often including restricted text and an email attachments that the recipient is required to open to view additional details.
In a lot of cases word documents are send containing malicious macros which install the Emotet Trojan on the victim’s computer. In order for the macros to be enable, the user is required to ‘Enable Content’ when they download the email attachment.
Users are advised in the attached documents to turn on content using a range of different tricks, lots of the time the documents say that the Word document has been created on an IoS or mobile device, and content needs to be switched on to permit the content to be accessed or that the contents of the document have been protected and will not be displayed unless content is turned on.
Earlier this month, a new lure was used by the Emotet actors. Spam emails were sent explaining a Windows update needed to be installed to upgrade apps on the device, which were preventing Microsoft Word from displaying the document contents. Users were told to Enable Editing – thus disabling Protected View – and then Enable Content – which allowed the macro to run.
The Emotet Trojan does not just include devices to a botnet and use them to begin more phishing campaigns. One of the main uses of Emotet is to install other malware variants onto infected devices. The operators of the Emotet botnet are sponsored by other threat actors to share their malware payloads, such as the TrickBot Trojan and QBot malware.
at first the TrickBot Trojan was a banking Trojan that first cam on the scene during 2016, but the modular malware has been regularly amended over the past few years to include a range of new functions. TrickBot still behaves like a banking Trojan, but is also a stealthy information stealer and malware installer, as is QBot malware.
As is the case with Emotet, once the operators of these Trojans have met their targets, they send a secondary malware payload. TrickBot has been widely used to share Ryuk ransomware, one of the biggest ransomware threats around at present. QBot has linked up with another threat group and sends Conti ransomware. From just one phishing email, a victim could therefore receive Emotet, TrickBot/QBot, and then be hit with a ransomware attack.
For these reasons it it crucial for companies to select an effective spam filtering solution to block the initial malicious emails at source and stop them from being sent to their corporate inboxes. It is also important to supply security awareness training to staff members to help them identify malicious messages such as phishing emails in case a danger is not blocked and reaches employees’ inboxes.
Groups that depend on the default anti-spam defenses that come with Office 365 licenses should think about configuring an extra spam filtering solution to improve protection against Emotet and other malware and phishing campaigns. Phishing emails often slip past Office 365 defenses and are sent to inboxes. With a powerful, advanced spam filtering solution such as SpamTitan layered on top of Office 365 anti-spam protections, users will be better protected.
To see more details the full package that comes with SpamTitan and how the solution protects businesses from threats such as malware, ransomware, phishing, and spear phishing attacks, call the SpamTitan team now.