Security Awareness – Emotet Uses Snowden’s New Book as a Current Lure

As WaterISAC shared in its September 17 Security and Resilience Update, Emotet has resumed spear phishing activity. Specifically, last week Emotet was observed using similar tactics from late spring 2019 by hijacking old email threads designed as invoices. This week it adds a different tactic to its arsenal of lures – NSA whistleblower Edward Snowden’s new book, Permanent Record. Using current events for phishing lures is very common. Emotet authors are reportedly offering Snowden’s book as a Microsoft Word attachment. According to antimalware firm Malwarebytes, the attachment is weaponized with a malicious macro launching a PowerShell command that retrieves the Emotet malware binary from a compromised WordPress site. Users who open the document will be presented with a fake message stating, “Word hasn’t been activated” and are prompted to enable the content with a yellow security warning. Once they do, nothing appears to happen. However, after infection, the machine will attempt to reach out to one of Emotet’s many command-and-control servers (C2s). Perch users subscribed to the WaterISAC Community will be able to detect the Indicators of Compromise (IoCs) for this Emotet campaign within their environments. Read the entire post at Malwarebytes