The Emotet botnet comes and goes, but it is still one of the top cyber security threats active today. Its flexibility and updates have kept it in use by threat actors whilst other malware has been defeated by cyber security defences.
The latest versions are still arriving in phishing emails, loaded with techniques to evade current endpoint security measures and the content is very sophisticated. The malicious emails are appearing to come from known contacts, replying to existing email threads and even quoting your own email back at you and in an attempt to tempt you to click on the attachment with the malware payload!
Botnet that knows your name and quotes your email is back with new tricks | Ars Technica
One evasion technique is to pad an attachment with extraneous code, inflating the size of the attached file to many hundreds of megabytes – as many anti-virus solutions do not scan very large files. Another technique is to include invisible (to the user) text in a Word file, as detection systems will flag files that only contain a graphics and a macro. Text from Moby Dick by Herman Melville seems to be a favourite source for this text.
One key feature is of course the message that will pop up explaining that the content of this file cannot be displayed unless you enable the content. If you have got this far and not been suspicious DO NOT enable the content – that will enable the malicious macros to run and the malware will be lose.
Your takeaway from this is to be on the look out for emails with very large attachments, unexpected emails with attachments or odd behaving attachments if you open them by mistake!
Have a look here for our training options to help with these types of cyber security threats:
Clive Catton MSc (Cyber Security) – by-line and other articles