There has been a recent increase in Emotet spam activity, which Symantec researchers have analyzed. The spikes in activity were detected starting in September 2019 and continuing to rise through November 2019. Two types of distribution methods were found in use based on analysis of the spam emails. The first used a link within the body of the email that led to the download of a Word document. The other attached the malicious Word document directly to the email. Themes used in both cases were mostly related to invoices or finances. The researchers note that the documents discovered had been created only hours before being distributed in these campaigns. If the user enables macros within the Word documents, PowerShell is used to drop and execute the Emotet payload, which is embedded in the document’s streams. Emotet then performs its ultimate goal of installing additional malicious payloads.
Steal user information