Emotet Botnet Operators Switching to a New Template Named ‘Red Dawn’
Emotet malware has been continually evolving to the levels of technically sophisticated malware that has a major role in the expansion of the cybercrime ecosystem. First discovered as a simple banking Trojan, Emotet’s roots date back to 2014 when it attempted to steal banking credentials from affected machines.
However, after going through multiple upgrades, since then, it has taken upon various roles- to exemplify, it has leveled up its threat game long ago to become a “loader”; it gathers data and sends it via an encrypted channel to its command and control (C2) servers, it also downloads modules to further the functionality.
The threat actors, actively involved in the rapid expansion of “Emotet” as a service, have devised a new method of attacking their targets by making them access infected documents. Until a while ago, the operators of Emotet have been using an iOS-themed document template in their botnet campaigns, the template informed victims that the document was created on iOS and that in order to view the content properly, he needs to ‘Enable Content’.
However, this is not the scenario anymore. In its newer campaigns, the notorious botnet is reported to be employing a new template, named ‘Red Dawn’ by Emotet expert, Joseph Roosen, for its red accent colors.
While displaying the message, “This document is protected”, the Red Dawn template informs the user that the preview is unavailable and in order to view the document, he is required to click on ‘Enable Content’ or ‘Enable Editing’ button.
After the user is being tricked into accessing the document via the steps he was asked to follow, Emotet malware gets installed on his system following the execution of macros. Once the system is successfully infected, Emotet malware may proceed to deliver other malware and ransomware namely Trickbot and Qbot or Conti and ProLock respectively.
“#Emotet AAR for 2020/09/02: Only a couple malspams at dayjob. It looks like JP is getting targeted heavily now by E1/E2 and E3. Seeing templates on all 3! The new regex for E1 is stupid and I bet Yuri thought that was epic, well nope, even easier to block, new regex in report. TT”, Joseph Roosen said in his related Tweet.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.