Emotet operators are using a new spam email template to tell users that their system has been hacked
Security researchers have uncovered a new Emotet campaign that uses a spam email template to tell recipients that their data has been stolen by hackers.
The goal of these phishing emails is to trick the recipients into opening an attached document that will eventually drop the Emotet malware onto the target system.
The new extortion template was recently shared by security researcher ExecuteMalware with BleepingComputer.
“YOUR COMPUTER HACKED! We have taken over your personal data and financial data,” reads the message from hackers.
“If you follow the instructions attached to this letter and transfer us $50, we will simply delete your data. Otherwise, exactly one day after sending this letter, we will sell them on the black market for $10 and your losses can be much greater,” it continues.
“Nothing personal is just a business. Have a nice day. I hope for your cooperation.”
OK, here’s a first for me. Just received this #emotet email: pic.twitter.com/QupLqZXahK
— ExecuteMalware (@executemalware) January 17, 2020
The campaign was first noticed around 15th January 2020, according to Emotet expert Joseph Roosen.
In their message, the hackers ask the user to open an attached Word document for instructions on how to pay the money to save their personal data from being sold in the black market.
Once a user opens the malicious document, they are asked to click the “Enable Content” button to view the document properly. As soon as “Enable Content” is clicked, a PowerShell command is executed and installs the Emotet Trojan on the system.
Emotet is one of the world’s most disruptive threats
The infection doesn’t stop there. Emotet also downloads the TrickBot Trojan, designed to steal sensitive documents, login credentials, and more, from the infected system.
TrickBot’s operators sometimes also collaborate with the Ryuk ransomware actors to encrypt the entire network, in case the network is thought to be of high value.
Security researchers have advised users to be cautious of opening emails from unfamiliar accounts, especially emails bearing Word or other attachments.
In a separate report, researchers at cyber security firm Proofpoint also warned about a Emotet hacking operation, dubbed TA542, that appears to be targeting pharmaceutical companies in the US, Mexico and Canada.
The group behind TA542 targets users by sending them a brief phishing email claiming that it contains a ‘SOC report’ as an attached Word document. In reality, it contains the malicious payload.
“Emotet is one of the world’s most disruptive threats and organisations worldwide should take its return seriously. They have a massive sending infrastructure – nobody hits volumes like they do,” said Sherrod DeGrippo, senior director of threat research and detection at Proofpoint.
“TA542’s recent uptick in activity shows that threat actors work smarter not harder. They took 150 days off in 2019 and, even with breaks, they’re incredibly effective,” she added.