Emotet Malware pretend as Windows 10 Update attachment

October 21, 2020
emotet malware spam campaign windows 10 update

Another twist on the Emotet botnet has been observed by security researchers to further its malicious agenda. It is now pretending to be an attachment from Windows Update telling the receivers of the spam email to update their Microsoft Word application.

As we all know, Emotet is a type of malware that gets distributed via spam emails with Word or Excel document file attachments. Once an unsuspecting victim opens the malicious document attached, these documents will utilize macros to download and insert the Emotet malware within the victim’s computer. The compromised computer will become part of the botnet and then send spam emails that will ultimately lead to a ransomware attack on a victim’s computer.

After a short break, the financial malware returned last week and started to blast spam emails globally.

The email spam campaign can disguise as an invoice billing statement, shipping address information, resume submissions and request, online purchase orders, covid-19 update information document, or president Trump’s health status info. Attached to these spam emails are the malicious word or excel file or a link to download the document.

Once the victim downloads the attached document, it will prompt the user to ‘Enable Content,’ resulting in running the malicious embedded macros that will install the Emotet trojan compromising the user’s workstation.

To trick users into enabling the macros, the Emotet threat actors use different document themes and templates, including pretending that it was made from an IOS Device, Windows Mobile, or that the document is protected and needs permission to run for system compatibility.

Another trick that security researchers observed during Emotet’s return is that it now pretends to be a message from Windows Update prompting the users that Microsoft Word needs to be updated before documents can be viewed. To update the Word application, the users are given the instructions to click on Enable Editing and the Enable Content to trigger the malicious macros to get executed.


emotet malware pretends windows 10 update word enable content macro


The malicious macros will have the malware downloaded and installed on the victim’s computer once executed.


Is it necessary to recognize the Emotet malware attachments?

The malware is recognized in the cybersecurity community as the most widely spread malware globally that targets end-users today. It is dangerous once it is installed. It can enable the botnet operators to install other notorious malware such as QBot and TrickBot on the compromised computer system. This other malicious malware is known to steal passwords stored locally and internally within an app, exfiltrating banking and financial information, other private and sensitive documents, and data. They can commonly lead to a ransomware attack.

Due to these reasons, anyone must recognize the malicious document templates and schemes used by the Emotet botnet malware so your computer doesn’t accidentally get infected.

About the author

Leave a Reply