Cybercriminals are capitalising on the release of whistleblower Edward Snowden’s new book, Permanent Record, to spread banking malware Emotet.
Since its publication last week, Snowden’s memoirs has climbed up best seller lists and fuelled discussion after the US government announced it would sue Snowden for breaching non-disclosure agreements.
As discovered by cybersecurity firm Malwarebytes, threat actors are taking advantage of this public interest, using social engineering techniques to lure victims into downloading malicious files.
How cybercriminals are using the Snowden book to spread malware
The threat actor behind Emotet is known to use spear phishing email campaigns to spread the malware. Just last week they were found to be hijacking old email threads to carry out attacks, for example.
Its latest exploit offers a free copy of the Snowden book as a Word document via email.
Malwarebytes’ spam honeypot, which is used to gather and record malicious emails, found evidence of these messages being sent in English, Italian, Spanish, German and French.
When the victim downloads the file, the document displays a fake prompt stating “Word hasn’t been activated. To keep using Word without interruption, Enable Editing and Enable Content”.
This encourages the user to bypass a security warning from the application. While nothing will appear to happen, by enabling content, the victim allows a malicious macro code to be executed, triggering a command to download the Emotet malware from a compromised WordPress website.
Word documents are increasingly being used by cybercriminals to dupe targets into downloading malicious payloads. Cybersecurity company SonicWall recorded 50,800 new attack variants that exploited user trust in Microsoft Office files to deliver malware last year.
What is Emotet?
Emotet first appeared as a banking Trojan in 2014. The malicious software was designed to steal sensitive information from infected devices, such as credit card information and online banking login details.
The threat posed by Emotet has evolved since, with the malware now also being used to carry out spam email campaigns and deliver additional malware payloads.
According to Malwarebytes, Emotet has been seen to deliver follow up payloads such as TrickBot, a similar malware designed to steal sensitive information, as well as the Ryuk ransomware, which stops victims from accessing their files and demands a ransom in order to regain access to them.
In its Q1 Cybercrime Report, Malwarebytes reported that detections of the malware rose from 800,000 to four million year-over-year. This led Malwarebytes to describe Emotet as the “most fearsome and dangerous threat to businesses today”.