Emotet Now Spreading Through Malicious Excel Files

An ongoing malicious email campaign that includes macro-laden files and multiple layers of obfuscation has been active since late December.

The infamous Emotet malware has switched tactics yet again, in an email campaign propagating through malicious Excel files, researchers have found.

Researchers at Palo Alto Networks Unit 42 have observed a new infection approach for the high-volume malware, which is known to modify and change its attack vectors to avoid detection so it can continue to do its nefarious work, they wrote in a report published online Tuesday.

“Emotet’s new attack chain reveals multiple stages with different file types and obfuscated script before arriving at the final Emotet payload,” Unit 42 researchers Saqib Khanzada, Tyler Halfpop, Micah Yates and Brad Duncan wrote.

The new attack vector—discovered on Dec. 21 and still active–delivers an Excel file that includes an obfuscated Excel 4.0 macro through socially engineered emails.

“When the macro is activated, it downloads and executes an HTML application that downloads two stages of PowerShell to retrieve and execute the final Emotet payload,” researchers wrote.

The Malware That Won’t Die

Emotet started life as a banking trojan in 2014 and has continually evolved to become a full-service

Read More: https://threatpost.com/emotet-spreading-malicious-excel-files/178444/