Following a short period of low activity during the holiday, Emotet operators are back at distributing through malicious email campaigns a new strain of their payload that carries new tricks.
The message spurts target users speaking different languages, luring them into opening an attached document laced with code that pulls in and installs the malware.
The malware is under constant development and this new variant can check if the recipient’s/victim’s IP address is blacklisted or on a spam list maintained by services like Spamhaus, SpamCop, or SORBS. “This could allow attackers to deliver more emails to users’ inboxes without any push back from spam filters,” researchers at Cisco Talos say in a blog post.
Expert Comments below:
Maor Hizkiev, CTO and Co-founder at BitDam:
“Like many malware strains, Emotet is learning from experience in order to improve and become more effective. In this case, the Emotet variant has developed a new capability that means it can fly under the radar and bypass common spam filters.
In addition to a previous update, which enables the malicious actor to take control of email accounts and send seemingly legitimate emails to dupe the recipient into opening malicious files, Emotet malware is becoming progressively potent, destructive and costly to both organisations and individual users.
The only real means of protecting against a mutable attack vector like this is to implement a solution that specialises in detecting content-borne attacks by analysing the file regardless of the meta-data that comprises it, such as sender and IP address. By doing so, organisations can continue to detect and block malicious code and links, even as they change and develop.”