Menlo Security Discovers New Emotet Trojan Campaign Tactic

Researchers at Menlo Security have announced the discovery of a new campaign tactic used by hackers to distribute the Emotet Trojan malware.

Menlo Security’s researchers announced that the hackers are disguising XML files like Word documents and embedding the malware as macros. The hackers send the files through an email phishing campaign. If the recipient opens the attachment, Word software is launched, and the attack proceeds as normal.

The significant difference with this campaign is that hackers are using XML files with .doc extensions to deliver the malware. Previous campaigns used regular Word documents. The researchers found that most security software solutions can recognise the file as an XML file, but standard AV software could not detect around 10% of attacks. Menlo researchers suggested that this change in tactics may have been an attempt to avoid sandboxes.

Trojan horses are malware variants that are disguised as benign or useful pieces of software. They are installed under false pretences, as the user is often tricked into believing that they serve a legitimate purpose. Once executed on a server, the hacker can then gain access to the system and steal valuable information for nefarious purposes. The Trojans are often installed through a phishing campaign.

The Emotet Trojan is one of the most rapidly evolving malware variants. It is also one of the most popular forms of malware; hackers have used Emotet in 76% of Trojan attacks. It accounts for more than 55% of all malicious payloads. Cybercriminals regularly deploy updates and create new functions. Hackers frequently develop new methods to distribute malware to evade detection.

Hackers have launched campaigns against a significant number of organisations in the past month, at a rate of nearly 15 attacks per day. They have directed nearly a third of their attacks towards healthcare companies. Campaigns have been targeted at consumer product companies, which have been victims of 22.5% of attacks.

Organisations must install up-to-date email security defences and spam filters to limit the chances that a phishing email lands in an employee’s inbox. Providing employee training on the dangers of phishing and best practices for spotting a suspicious email is critical for ensuring a robust cybersecurity framework.