The malware was hosted on a third-party website but was shared via a domain associated with McAfee ClickProtect, an email protection service that the company touts as able to "protect your business from hacking." The service is meant to protect against phishing attacks, malware from links in emails, and prevent users from visiting sites that are known to be high risk.
"Emotet has been widely distributed via malspam campaigns containing links to hacked sites that host a decoy Word document," said Jerome Segura, lead malware intelligence analyst at security firm Malwarebytes, in an email.
"Upon opening it and allowing macros, the user unknowingly triggers the download of the Emotet malware binary, also retrieved from a compromised site," he said.
The malware uses a traditional macro-enabled Word document, often delivered by a direct link or in an email, which, when opened and activated, will download additional files using a PowerShell script, including the Emotet malware binary. After it installs, the malware phones home to its command and control server where it would siphon off sensitive data, like browser and mail passwords, which could be used to hack into accounts and transfer funds. Security researcher Marcus Hutchins said in a recent write-up that the malware connects to the command and control server using hard-coded IP addresses, but it uses proxies to evade detection.
For its part, McAfee said it was investigating the matter, but it also said the service "performed as designed."
"In the early hours of Nov. 13, the web destination in question had not yet been identified as a source of malware propagation," said a spokesperson.
"Later that day, however, McAfee's Global Threat Intelligence service had indeed identified the web property as a threat, changed the site's reputation ranking from 'low risk' to 'high risk,' and thereafter blocked McAfee customers from being able to reach the site," the spokesperson said.
The spokesperson said that by the time McAfee's research team became aware of the site's status from an email sent by ZDNet, the site had "already been blocked for some time."
But that doesn't line up with our version of events. Shortly up until McAfee said the site was blocked, the link was still active and pointing to the malicious Word document. It's also not clear about why the service would flag the site as high risk but would still allow malware to download.
McAfee was "still working to establish the exact timeline" of events, a spokesperson said.
It's not known exactly how the link came to be -- such as if the link was created by hackers to trick unsuspecting victims into downloading the malware, or if it was by mistake.
A McAfee spokesperson said it was not as a result of "deliberate abuse" of the system.
But hackers have ramped up their use of the Emotet malware in recent months, and they're increasingly resorting to sending carefully crafted emails and employing social engineering techniques. The hackers behind the malware often masquerade as phone, cell, and internet providers, and they would focus on targets predominantly in the US, UK, and Canada, according to a recent Trend Micro report.
But why the malware has resurfaced remains a mystery. Microsoft recently appealed to enterprise customers to help stamp out the malware, which is increasingly in the hackers' crosshairs.
Segura warned that even users with email protection systems in place, like enterprises, can still be duped.
"Users should beware of shortened or converted links and perhaps even more so when there might be assumptions that they are safe," he said.
"The same goes for signatures appended at the bottom of an email, saying 'this email is guaranteed virus-free' or similar," he added. "Not only does it give users a false sense of security, but criminals often also add such messages for social engineering purposes."