Emotet switched to a new template this week that pretends to be a Microsoft Office message stating that Microsoft Word needs to be updated to add a new feature.

Emotet is a malware infection that spreads through emails containing Word documents with malicious macros. When opening these documents, their contents will try to trick the user into enabling macros so that the Emotet malware will be downloaded and installed on the computer.

Once the malware is installed, Emotet will use the computer to send spam emails and ultimately install other malware that could lead to a ransomware attack on the victim’s network.

New malicious document template

Emotet spam campaigns use a variety of lures to trick recipients into open an attachment, such as pretending to be invoices, shipping notices, resumes, or purchase orders, or even COVID-19 information, as shown below.

https://csirt.cy/wp-content/uploads/2020/10/emotet-spam-email-300x178.jpg 300w, https://csirt.cy/wp-content/uploads/2020/10/emotet-spam-email-1024x609.jpg 1024w, https://csirt.cy/wp-content/uploads/2020/10/emotet-spam-email-768x457.jpg 768w" alt="" width="803" height="477" class="wp-image-7224 aligncenter" style="box-sizing: border-box; border: 0px; vertical-align: middle; clear: both; display: block; margin: 0px auto; height: auto; max-width: 100%; color: rgb(51, 51, 51); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" loading="lazy" />

Example Emotet spam email

Attached to these spam emails are malicious Word (.doc) attachments or links to download one.

When opened, these attachments will prompt a user to ‘Enable Content’ so that malicious macros will run to install the Emotet malware on a victim’s computer.

To trick users into enabling the macros, Emotet uses various designs, or document templates, that displays a warning to the user.

Emotet switched to a new template this week that pretends to be a Microsoft Office message stating that Microsoft Word needs to be updated to add a new feature.

To upgrade Microsoft Word, the document tells the user to click on the Enable Editing and then the Enable Content button, which will cause cause the malicious macros to execute.

https://csirt.cy/wp-content/uploads/2020/10/upgrade-word-template-300x210.jpg 300w, https://csirt.cy/wp-content/uploads/2020/10/upgrade-word-template-1024x717.jpg 1024w, https://csirt.cy/wp-content/uploads/2020/10/upgrade-word-template-768x538.jpg 768w" alt="" width="845" height="592" class="wp-image-7226 aligncenter" style="box-sizing: border-box; border: 0px; vertical-align: middle; clear: both; display: block; margin: 0px auto; height: auto; max-width: 100%; color: rgb(51, 51, 51); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" loading="lazy" />

New Upgrade Microsoft Word Emotet attachment

These malicious macros will download and install the Emotet malware into the victim’s %LocalAppData% folder, as shown below.

https://csirt.cy/wp-content/uploads/2020/10/emotet-300x164.jpg 300w, https://csirt.cy/wp-content/uploads/2020/10/emotet-768x419.jpg 768w" alt="" width="832" height="454" class="size-full wp-image-7228 aligncenter" style="box-sizing: border-box; border: 0px; vertical-align: middle; clear: both; display: block; margin: 0px auto; height: auto; max-width: 100%; color: rgb(51, 51, 51); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" loading="lazy" />

Emotet malware installed in Windows

Why it’s necessary to recognize Emotet attachments?

Emotet is considered the most widely spread malware targeting users today. It is particularly dangerous as it installs other infections such as the Trickbot and QBot malware onto a victim’s computer.

When installed, TrickBot and QBot will attempt to steal stored passwords, bank information, and assorted other information, but also commonly lead to Conti (TrickBot) or ProLock (QBot) ransomware attacks.

Due to this, it is important that all email users recognize malicious document templates used by Emotet so that you do not accidentally become infected.

The information contained in this website is for general information purposes only. The information is gathered from BLEEPING COMPUTER, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.