In today’s cyber-security landscape, the Emotet botnet is one of the largest sources of malspam — a term used to describe emails that deliver malware-laced file attachments.
These malspam campaigns are absolutely crucial to Emotet operators.
They are the base that props up the botnet, feeding new victims to the Emotet machine — a Malware-as-a-Service (MaaS) cybercrime operation that’s rented to other criminal groups.
To prevent security firms from catching up and marking their emails as “malicious” or “spam,” the Emotet group regularly changes how these emails are delivered and how the file attachments look.
Emotet operators change email subject lines, the text in the email body, the file attachment type, but also the content of the file attachment, which is as important as the rest of the email.
That’s because users who receive Emotet malspam, besides reading the email and opening the file, they still need to allow the file to execute automated scripts called “macros.” Office macros only execute after the user has pressed the “Enable Editing” button that’s shown inside an Office file.
Tricking users to enable editing is just as important to malware operators as the design of their email templates, their malware, or the botnet’s backend infrastructure.