Emotet malware back with ‘Windows Update’ attachment


The Emotet botnet has begun to use a new malicious attachment that pretends to be a message from Windows Update telling you to upgrade Microsoft Word.

Emotet is a malware infection that spreads through spam emails containing malicious Word or Excel documents. These documents utilize macros to download and install the Emotet Trojan on a victim’s computer, which uses the computer to send spam email and ultimately leads to a ransomware attack on a victim’s network.

After a short vacation, the Emotet malware returned to operation on October 14th and began blasting out malicious spam worldwide.

These spam campaigns pretend to be invoices, shipping information, COVID-19 informationinformation about President Trump’s health, resumes, or purchase orders, as shown below.

Attached to these spam emails are malicious Word (.doc) attachments or links to download one.

When opened, these attachments will prompt a user to ‘Enable Content’ so that malicious macros will run to install the Emotet malware on a victim’s computer.

To trick users into enabling the macros, Emotet uses various document templates, including pretending to be created on iOS devices, Windows 10 Mobile, or that the document is protected.

With its return to activity, Emotet switched to a new template that pretends to be a message from Windows Update stating that Microsoft Word needs to be updated before the document can be viewed.

To update Word, the message tells the user to click on the Enable Editing and Enable Content buttons, which will cause the malicious macros to fire off. These malicious macros will download and install the Emotet malware on a victim’s computer.

Why it’s necessary to recognize Emotet attachments?

Emotet is considered the most widely spread malware targeting users today. It is also particularly dangerous as it installs other malware such as Trickbot and QBot onto a victim’s computer.

While TrickBot and QBot perform malicious activity on their own, such as stealing stored passwords, banking information, and assorted other information, they also commonly lead to Conti (TrickBot) or ProLock (QBot) ransomware attacks.

Due to this, it is vital to recognize the malicious document templates used by Emotet so that you do not accidentally become infected.


Please enter your comment!
Please enter your name here