Email Malware Returns With New Tricks

A notorious botnet that spreads malware through fake emails is back in action. Emotet has returned with some new tactics to try to bypass security checks.

Emotet had already gained a reputation for being (comparatively) successful at fooling humans and computers alike. Its most notable characteristic was that it not only used messages that appeared to come from a trusted contact, but that it addressed the recipient by name and even appeared to be a reply to a previous genuine message.

Most commonly, Emotet sends malware through Microsoft Word documents with macros. These are now disabled by default by Microsoft for any document received over the Internet. Posing as a trusted contact is intended to make it more likely the user will enable the macro.

Files Inflated

Now Trend Micro says Emotet's operators are using several new tactics, including those copied from other attackers and those which are more original. One is to "pad" the code behind the documents and associated malware to artificially inflate the file size to 500 megabytes or more.

That doesn't necessarily cause a notable delay in viewing, opening or downloading the files for recipients with fast broadband connections. However, it is enough to stop some security software from scanning the file. (Source: trendmicro.com)

The scammers have also found a creative solution to a common dilemma faced by malware distributors. Making the document blank means there's no need to create fake text that could easily raise suspicion unless individually crafted to match the recipient and supposed sender.

However, many anti-malware tools will automatically flag up a document that is empty but includes attachments or macros.

Classic Literature Hidden

The solution in this case is to put generic text on the page in a white font so that it's invisible to the user but not to the security software. In one example seen by Trend Micro, the hidden text was simply an excerpt from Moby Dick. (Source: arstechnica.com)

It's an old trick previously seen on websites that wanted to fool primitive search engine rankings by simply repeating a phrase over and over without it being spotted by the reader.

As always, the best things users can do is keep software (including security tools) up-to-date with security patches and to be wary of any unexpected documents or links. When uncertain, it's best to double-check with the supposed sender to make sure a document is legitimate.

What's Your Opinion?

Do you think twice before opening attachments or links? Have you noticed any requests to enable macros in a document? Are you confident in your security tools (including those built in to email services) to keep your device safe?