Emotet is one of those threats that we see from time to time. Hackers are constantly looking for a way to perfect their attacks, to run campaigns that infect devices. Today we echo the new strategy, although with certain errors that we are going to comment on. It relies primarily on password-protected archives that manage to bypass email security gateways.
Emotet uses protected files to bypass security
But cybercriminals have made a mistake in this campaign. The reason is that they have started using files that are supposed to have been created with Windows 10 Mobile . They ask the victims to allow macros to be able to view those documents, since they are supposedly created with that operating system.
The thing is, Windows 10 Mobile reached the end of its useful life earlier this year. However, that small bug of the hackers has already been solved, and it is that now they deliver those same files but indicating that they were created with Android. The operation is the same: the victim has to enable the macros and in this way the malicious code is activated.
Regarding the main characteristic of this attack, it should be mentioned that it uses protected files in order to bypass email security measures. We already know that many threats arrive through this medium and this also makes the barriers to avoid it improve. However, hackers are always looking for new strategies to achieve their goals, as we see in the case of Emotet.
In this new campaign they use different languages, so they cover a large number of countries. They can be invitations to meetings, order confirmations, reports … All these documents arrive compressed in a file that is protected by a password. In the message they indicate the password they have to use.
Once the victim extracts that file and enters the password, they find that document where they are asked to enable the macros. That’s when the Emotet payload is downloaded. As indicated by security researchers, it is usually QakBot . Luckily we can check if we are infected by Emotet.
The campaign has been active for weeks
Microsoft has detected this campaign in recent days. However, from Cryptolaemus, a group of security researchers, indicate that it has been working for several weeks. They have been using this strategy that they called Zip Lock for a long time .
Keep in mind that this problem can affect all types of users . As we have seen, the messages are usually different, since sometimes they may indicate that it is an invitation, something related to an order, a report …
Our advice is always to maintain common sense in these cases. It is vital not to open any files that we receive by email and that we cannot trust. Much less this type of documents that are protected by password and that, as we see, is used basically to avoid security measures.
