Scam of the week: Emotet Strikes Again Using Fake Extortion Emails

January 24, 2020 11:38 am Geraldine Strawbridge

The notorious Emotet malware has made a resurgence in recent months and its developers are trying out a new tactic by hiding their malicious payload within fake extortion emails.

The phishing emails use a spam email template to warn the user that their computer has been hacked and their data stolen.

The email states: “YOUR COMPUTER HACKED! We have taken over your personal data. If you follow the instructions attached to this letter and transfer us $100, we will simply delete your data. Otherwise, exactly one day after sending this letter, we will sell them on the black market for $10 and your losses can be much greater.”

Extortion template
Extortion template (source: Execute Malware)

To avoid their data being sold on the black market, the user is asked to open an attached word document with instructions on how to pay the money.

Once the user opens the malicious document, they are asked to click the “Enable Content” button to view the document properly. As soon as this button is clicked, a PowerShell command is executed that immediately downloads and installs the Emotet Trojan on to their computer.

Malicious Word Document
Malicious Word Document

Unfortunately, the malware is only getting started! After a certain period of time, Emotet will download the TrickBot Trojan, which will begin to steal login credentials, sensitive files, browser history and a host of other sensitive information.

In the final stage of infection, the TrickBot Trojan can also deploy Ryuk Ransomware which will encrypt selected files on the machine and demand a ransom payment in return for decrypting the files.

Emotet first emerged in 2014 as a banking trojan; however, it has rapidly evolved into one of the most sophisticated and widely used tools for distributing malware. It is extremely versatile and can effectively change itself every time it’s downloaded to evade signature-based anti-virus detection.

It has also gained new functionality to make it even more aggressive. Emotet can add an infected machine to a botnet to perform DDoS attacks or it can be blended with other forms of ransomware for maximum destruction.

The majority of Emotet infections start with a simple phishing email. As soon as the recipient clicks on a link or opens a file, they will unwittingly be enabling macros that initiate the infection process. As soon as the device is infected, Emotet will start trying to spread to other devices on the network and scan through contact lists to send out further malicious emails.

What can you do to prevent Emotet infection?

  • Keep your software up to date with the latest security patches from Microsoft – Emotet will often take advantage of the Windows Eternal Blue Vulnerability. Regular patching will fix security vulnerabilities, remove outdated features and update drivers.
  • Follow good security practices to minimise the risk of infection – Avoid clicking on links or downloading attachments from unknown sources.
  • Cyber Security awareness training – Emotet relies heavily on a user opening a phishing email. To ensure that employees can effectively recognise these threats, it’s vital they receive regular cyber security awareness training.
  • Use anti-virus software – Emotet has been highly successful in avoiding detection from many forms of anti-virus software solutions. However, it’s still vital to invest in a trustworthy anti-virus solution that uses behaviour blocking technology in addition to signature-based protection.
  • Create a strong and complex password – A strong password should be between 8-15 characters long, a mix of uppercase and lowercase letters and include numbers or symbols.
  • Use Two Factor-Authentication (2FA) – Two-Factor-Authentication adds an additional layer of security to the authentication process by making it harder for a hacker to gain access to a person’s device. In addition to a password, two-factor authentication requires a second piece of information to confirm the user’s identity.
  • Block questionable files and attachments – Consider blocking attachments that are commonly associated with malware, such as .dll and .exe, and attachments that cannot be scanned by antivirus software, such as .zip files.

Phishing is the number one cause of all cyber-attacks and continues to prove one of the easiest ways to steal valuable data and deliver ransomware. MetaPhish has been created to provide a powerful defence against these threats and enables organisations to find out just how susceptible their company is to phishing. Get in touch for further information on how MetaPhish can be used to protect your business.