Emotet Malware Tweaks Tactics in Fresh Attack Wave

The Emotet malware, which was responsible for deploying the Ryuk ransomware into a North Carolina water utility’s IT system in October, is back with new techniques and an upsurge in attacks. In recent campaigns, Menlo Security says 80 percent of the malicious files appear to be Word documents with a .doc extension but are actually XML files (the other 20 percent of the malicious documents sampled are Word documents containing embedded macros, as is typical of Emotet). The researchers say this twist is an effort to avoid both detection and sandbox setups, often used by security teams to reverse-engineer malware code. “This technique is probably used to evade sandboxes, since sandboxes typically use the true file type and not the extension to identify the application,” Menlo Security said. “While the true file type is XML, it is still opened in Microsoft Word at the endpoint, thereby prompting the user to enable the malicious embedded macro,” it added. In total, 10 percent of the overall sample could also not be identified as malicious by standard antivirus software. Menlo Security added that Emotet made its top list of Trojans last year and it is expected that the malware will maintain its position throughout 2019. Read the article at ZDNet.