This latest phishing scam is spreading fake invoices loaded with malware

Prolific malware turned botnet shows no signs of slowing down as campaigns are launched against financial institutions in the US and UK.
Written by Danny Palmer, Senior Writer

A notorious malware campaign is targeting banks and financial institutions in the US and the UK with cyberattacks that are not only destructive in their own right, but could also be used as the basis for future intrusions by other hackers.

Emotet started life as a banking trojan, but has also evolved into a botnet, with its criminal operators leasing out its capabilities to those who want to distribute their own malware to compromise machines.

Such is the power of Emotet that at one point last year it accounted for almost two-thirds of malicious payloads delivered in phishing attacks.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Emotet activity appeared to decline during December, but it sprung back to life in January – and it currently shows no signs of slowing down as researchers at Menlo Security have detailed yet another campaign.

This time, the attacks have been directed at organisations in financial services, with small numbers also targeted at the food, media and transportation industries. Three-quarters of the attacks have been directed towards organisations in the US or UK, with the remaining hacking attempts directed towards the Philippines, Spain and India.

Like previous Emotet attacks, the malware is delivered via phishing emails that contain a malicious Microsoft Word document. This time the email subject lines are based around invoices, bank details and other financial subjects – common terms to attract the attention of workers in the finance sector.

The attachment claims the user needs to 'enable content' in order to see the document; if this is done it allows malicious macros and malicious URLs to deliver Emotet to the machine.

Because Emotet is such a prolific botnet, the malicious emails don't come from any one particular source, but rather infected Windows machines around the world.

If a machine falls victim to Emotet, not only does the malware provide a backdoor into the system, allowing attackers to steal sensitive information, it also allows the attackers to use the machine to spread additional malware – or allow other hackers to exploit compromised PCs for their own gain.

The campaign spiked towards the end of January and, while activity has dropped for now, financial institutions are still being targeted with Emotet phishing campaigns.

"We are continuing to see Emotet traffic, though the intensity has reduced considerably," Krishnan Subramanian, researcher at Menlo Labs told ZDNet.

SEE: Malware stew cooked up on Bitbucket, deployed in attacks worldwide

In order to protect against Emotet malware, it's recommended that users are wary of documents asking them to enable macros, especially if it's from an untrusted or unknown source. Businesses can also disable macros by default.

Organisations should also ensure that operating systems and software are both patched and up-to-date as this can really help to stop malware being successful as many attacks use known vulnerabilities that can readily be patched against.


Editorial standards