The infamous Emotet malware has switched tactics yet again, in an email campaign propagating through malicious Excel files, researchers have found.
“Emotet’s new attack chain reveals multiple stages with different file types and obfuscated script before arriving at the final Emotet payload,” Unit 42 researchers Saqib Khanzada, Tyler Halfpop, Micah Yates and Brad Duncan wrote.
The new attack vector-discovered on Dec. 21 and still active-delivers an Excel file that includes an obfuscated Excel 4.0 macro through socially engineered emails.
The new Emotet infection method using Excel macros also has several variations, according to Unit 42.
“In other cases, Emotet uses an Excel spreadsheet directly attached to the email.”
“The encrypted.ZIP file contains a single Excel document with Excel 4.0 macros,” researchers wrote “These macros are an old Excel feature that is frequently abused by malicious actors. The victim must enable macros on a vulnerable Windows host before the malicious content is activated.”