Emotet malware using fake Windows Update templates

The templates trick users into enabling malicious macros in Office documents

Notorious banking Trojan Emotet has been using fake Windows Update templates as part of a campaign to deliver malware payloads onto victim systems.

That's according to researchers at Cryptolaemus, who state that the fake templates look just like actual system alerts from Windows.

Emotet is a sophisticated malware designed to steal sensitive information from infected systems after installing a range of additional malware. When first identified in 2014, Emotet was a banking trojan that primarily spread through malicious emails. Since that time it has evolved into a new form of malware, complete with its own botnet.

Due to its close links with other ransomware groups, some countries have started treating Emotet with the same level of urgency as a ransomware attack. Organisations in which an Emotet-infected host is found are asked to isolate the infected system to prevent the malware from infecting the entire network.

Emotet infection usually spreads through spam messages containing malicious Word or Excel files masquerading as invoices, payment reports, COVID-19 alerts, shipping data, job opportunities and any other type of information significant for the recipient.

The dodgy documents include macros that the user needs to enable before they can do anything - normally, installing Emotet.

To trick users into enabling the macros, Emotet operators use a wide variety of lures, including document templates that pretend to be created on different platforms (Windows 10 Mobile, Android or iOS devices), stating that the document was compiled in older versions of Office, etc.

Cryptolaemus researchers said last week that Emotet operators are now using a new template that masquerades as a message from Windows Update. The template states that the user needs to update Microsoft Word because the malware document is not compatible with file formats supported by their software.

The recent campaign was seen using a conversation hijacking technique, in which hackers take over email threads from ongoing business discussions and insert malicious documents as attachments.

Researchers also observed Emotet installing the TrickBot Trojan on some infected hosts, suggesting that TrickBot survived a recent attempt by Microsoft and its partners to take down this notorious botnet.

Microsoft says its security teams and partners spent several months collecting thousands of TrickBot malware samples and tracking the infrastructure that TrickBot used to communicate with infected systems. A detailed analysis of the samples and other information enabled researchers to learn the IP addresses of the command-and-control (C2) servers that cyber actors were using to control the botnet.

On 6th October, a US federal court grave Microsoft approval to disable the C2 servers the TrickBot operators were using.

The court also ordered the suspension of all services being offered to the operators and the blocking of any effort by them to lease or purchase additional servers.