Emotet Botnet Now Using Snowden's Memoir as a LureAttackers Sending Emails Promising Copy of 'Permanent Record'
A week after the Emotet botnet crept back to life, the attackers behind it are already trying a new way to ensnare victims - using Edward Snowden's newly released memoir as a phishing lure, according to the security firm Malwarebytes.
Last week, the former National Security Agency contractor turned whistleblower released his memoir, Permanent Record. Now, the Emotet attackers are looking to latch on to the publicity surrounding Snowden's book for their own nefarious purposes, the Malwarebytes researchers say.
After a four-month hiatus, command-and-control servers associated with Emotet began communicating with each other in late August, and on Sept. 16, several security firms confirmed a new surge in botnet activity primarily against targets in the U.S., U.K. and German (see: Researchers: Emotet Botnet Is Active Again).
And while earlier campaigns used a dated spear-phishing tactic that sent a personalized message to hijack old email-threads - usually impersonating someone the victim knew as part of an email thread - this new phishing scam capitalizes on the newsworthiness of a particular event to target more victims, the researchers note.
Snowden as Lure
On Monday, Malwarebytes researchers posted a new report that shows the attackers behind Emotet are using phishing emails that claim to contain a version of Snowden's book as a Microsoft Word file. That document contains hidden malicious macros that trigger a PowerShell command, which then downloads the Emotet malware onto an infected device.
"Upon opening the document, a fake message that 'Word hasn't been activated' is displayed to victims who are prompted to enable the content with a yellow security warning," according to the Malwarebytes research. "Once they do, nothing appears to happen. However, what users don't see is the malicious macro code that will execute once they click on the button."
Although the researchers are still trying to determine the full extent of the phishing campaign using the fake Snowden book, Malwarebytes has collected samples of spam emails in English, Italian, Spanish, German and French, revealing the potential global extent of the scam.
One reason the attackers may have switched lures so fast is to avoid detection and security tools, researchers say.
"Changing subject lines or email content can throw off defenders and help bypass email protection," a researcher with the Malwarebytes security team tells Information Security Media Group. "However, switching from the classic fake invoice theme to the Snowden lure may have been done as a way to piggyback the campaign on a popular news story that would yield more victims."
Purpose of Campaign?
Emotet is still considered one of the world's most notorious botnets. The attackers behind it distribute phishing emails to increase the size of the botnet as well as spreading spam and other malicious code. The Trickbot Trojan and the Ryuk ransomware variant are each associated with the botnet (see: 5 Malware Trends: Emotet Is Hot, Cryptominers Decline).
But the Malwarebytes researchers are not sure about the purpose of the latest Emotet campaign.
"The Emotet botnet dominates all others when it comes to fuelling malspam campaigns," the Malwarebytes researcher says. "The malware's ability to compromise new machines and harvest credentials for spam is unique and effective."
While attackers have taken advantage of weaponized Microsoft Word and other documents for some time, security experts note that social engineering techniques, such as using the Snowden book as a lure, are effective ways to ensure that the attack is carried out.
"For cybercriminals, going after people and infecting their machines with social engineering tactics is much easier than trying to directly attack a network," Atif Mushtaq, CEO of San Francisco-based security firm SlashNext, tells ISMG. "While weaponized document attachments to phishing emails are sometimes detected by one or more security solutions, requiring additional user interaction within the document application, in this case, Microsoft Word helps these attacks evade defenses and compromise victims' machines."