A new attachment employed in the Emotet botnet’s cybercriminal activities is proving just as lethal as those it has previously utilised. Entitled ‘Red Dawn’ by malware experts, the latest template is being used to craft malicious attachments by the Trojan that was originally developed for stealing banking data.

A torrent of spam attacks

Following a five-month-long hiatus, July 2020 saw the malicious Emotet software return to action in a massive wave of spam attacks on an international scale. The campaign was observed to include a diverse range of spam communications attempting to resemble shipping data, invoices, financial files, scanned documents, resumes and important information on the coronavirus.

Each spam email included either a malicious document as an attachment or had a link embedded that directed the recipient to download a copy. When opened and viewed, these malicious attachments then prompted the recipient to ‘Enable Content’. Once activated, the macros incorporated into the document install the insidious Emotet malware onto the targeted victim’s device.

Up until now, to fool the recipient into activating the included macros, the Emotet botnet was employing a template that informs the user that the document has been created in Apple’s mobile operating system (iOS). It states that due to this fact, the document is unable to be viewed correctly without the user clicking the button marked Enable Content.

As of August 25, cybersecurity experts identified that the botnet had switched up its strategy and adopted a new template. Due to the red accents used in the new format, specialist on Emotet malware, Joseph Roosen, dubbed the template Red Dawn.

The latest template deployed by the Emotet botnet in its spam campaigns also departs from using iOS difficulties as the reason for activating the macros, and instead informs the user that the attached document is protected and a preview is unavailable. The template then goes on to prompt the recipient to click on a button once more, but instead of Enable Content, it uses the phrase ‘Enable editing’ to entice them to view the spam document.

As with the previous template utilised, once the recipient clicks on the button, harmful macros are executed and proceed to download and fully install Emotet malware onto the target’s device.

The importance of recognising attachments used by Emotet

Currently, Emotet is commonly considered to be the most wide-reaching form of malware aimed at users around the globe. Among the multiple dangers of Emotet malware is its capability to install other forms of malicious software onto a target’s computer when it delivers its payload, including both QBot and TrickBot.

While Trojans like QBot and TrickBot can execute slightly different actions, they will both work to steal cookies, passwords stored, banking details and other personal data from the victim’s device. More dangerous than this, these two Trojan viruses are also known to empower threat operators with access that allows them to install dangerous ransomware, including ProLock and Conti, across company networks.

With these multiple and far-reaching threats in mind, it is crucial that users can effectively identify the different document styles employed by Emotet to avoid infection.