+++ UPDATE 05.12.2018: The Hornetsecurity Security Lab is currently observing an immense increase in the number of dangerous emails, which come with the malicious malware “Emotet”. Also the BSI informs about the growing threat, by the current Phishing and Spam campaign, which spreads “Emotet”. The affected companies suffered from failures of their entire IT infrastructure, which resulted in immense capital damage.

Disguised as an Office Word document attached to a legitimate email, the malware is installed on a computer when opened and reads contacts and email content from the mailboxes of the infected system. Furthermore, Emotet has the ability to reload additional malware that allows hackers to read access data and provide remote access to the system.

In September this year, Hornetsecurity already published a report about the appearance of the malware as an invoice disguised as a PDF document, which reloads a banking Trojan when executed.+++

New Emotet version

Since Christmas last year, no major offensives by the banking Trojan Emotet have been observed. Now it appears in a new shape and is distributed by an insidious blended attack.

The malware specialists from our security lab found a new type of the banking Trojan Emotet on Thursday, 06.09.18 and investigated the attacking method in more detail.

Earlier versions of Emotet were mainly distributed directly in email attachments or through links in email bodies. This new type uses a more complex delivery method: it is hidden in the form of a PDF document disguised as an invoice and attached to a phishing email.

Emotet phishing email

Phishing email with attached PDF document

Emotet PDF document

PDF document with link to Office file

The content of this PDF document contains a link to download an Office file.

Emotet office document

Office document

Once the user opens the file, a macro is executed that downloads the dangerous malware.

Statische Analyse Emotet Code-Fragment

Static analysis – code fragment

Emotet uses this cover-up technique to circumvent virus filters and sandbox analyses. So far this seems to work well, because not even a third of the antivirus programs listed on VirusTotal classify the file as dangerous.

On the safe side with Advanced Threat Protection

The URL scanning feature of Hornetsecurity’s Advanced Threat Protection detects files, however well hidden they may be, and protects customers’ IT from this persistent blended attack even before the phishing mail arrives.