Free Copy of Edward Snowden’s Book Used as Lure in New Emotet Malspam Campaign

The Emotet botnet sprung back to life following a 4-month period of dormancy over the summer. The first campaigns, which involved hundreds of thousands of messages, used lures such as fake invoices, payment remittance advice notices, and statements to lure recipients into opening a malicious Word document, enabling content, and inadvertently launching a string of actions that result in the downloading of Emotet: One of the most dangerous malware variants currently being distributed via email.

It has only been a few days since those campaigns were detected, but now a new campaign has been detected. The latest malspam campaign also delivers Emotet but this time the lure is a free copy of Edward Snowden’s book – Permanent Record. The book is an account of Edward Snowden’s life that led up to his whistleblowing actions in 2013.

The campaign includes English, Italian, Spanish, and German language versions which claim to offer a free scanned copy of the former CIA staffer’s book. The English language version of the book is being distributed via email, so the attackers claim, because it is “Time to organize collective readings of Snowden book everywhere.” The email tells the recipient to “Go buy the book now, read it, share it, discuss it,” but conveniently a scanned copy is attached called Scan.doc.

As with the previous campaign, opening the attachment will display a Microsoft Product Notice – with appropriate logo – informing the user that Word has not been activated. The user is required to enable content to continue using Word and view the content of the document. At this point, all it takes is a single click to silently install Emotet. Once installed, Emotet will download other malware variants, including the TrickBot Trojan. Emotet is also being used to distribute ransomware payloads.

While the lures in the Emotet campaigns are regularly changed, they have all used malicious scripts in Word documents which download Emotet. The emails may be sent from unknown individuals or email addresses may be spoofed to make the emails appear to have come from a contact or work colleague.

The lures are convincing and are likely to fool may end users into opening the attachments and enabling content. For businesses, that can lead to a costly malware infection, theft of credentials, fraudulent bank transfers, and ransomware attacks.

Businesses can reduce risk by ensuring employees are told never to open email attachments in unsolicited emails from unknown senders, but also to verify the authenticity of any email attachment by phone before taking any action. It is also important to condition employees never to enable content in any document sent via email.

While end user security awareness training is essential, advanced anti-malware solutions are also required to prevent those messages from ever reaching inboxes.

SpamTitan includes DMARC authentication to block email impersonation phishing attacks and a Bitdefender-powered sandbox where suspicious email attachments can be safely executed and studied for malicious actions.

Along with a wide range of other content checks, including Bayesian analysis and greylisting, emails such as these can be blocked and prevented from being delivered to end users.