Emotet botnet has begun to use a new ‘Red Dawn’ template

Pierluigi Paganini August 30, 2020

In August, the Emotet botnet operators switched to a new template, named ‘Red Dawn,’ for the malicious attachments employed in new campaigns. 

The notorious Emotet went into the dark since February 2020, but after months of inactivity, the infamous trojan has surged back in July with a new massive spam campaign targeting users worldwide.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542.

In the middle-August, the Emotet malware was employed in fresh COVID19-themed spam campaign

Recent spam campaigns used messages with malicious Word documents, or links to them, pretending to be invoices, shipping information, COVID-19 information, resumes, financial documents, or scanned documents.

Upon opening the documents, they will prompt a user to ‘Enable Content’ to execute that malicious embedded macros that will start the infection process that ends with the installation of the Emotet malware.

To trick a user into enabling the macros, Emotet botnet operators use a document template that informs them that the document was created on iOS and cannot be properly viewed unless the ‘Enable Content’ button is clicked.

Emotet botnet
Emotet botnet new document template (source Bleeping Computer)

“On August 25th, the botnet switched to a new template that Emotet expert Joseph Roosen has named ‘Red Dawn’ due to its red accent colors.” reported BleepingComputer. 

The Red Dawn template displays the message “This document is protected” and informs the users that the preview is not available in the attempt to trick him/her to click on ‘Enable Editing’ and ‘Enable Content’ to access the content.

Emotet malware is also used to deliver other malicious code, such as Trickbot and QBot trojan or ransomware such as Conti (TrickBot) or ProLock (QBot).

Emotet continues to be one of the most widespread botnets and experts believe it will continue to evolve to evade detection and infect the larger number of users as possible.

In August, the infamous Emotet malware was employed in a COVID19-themed campaign aimed at U.S. businesses.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Emotet)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment