Article 69RYZ Botnet that knows your name and quotes your email is back with new tricks

Botnet that knows your name and quotes your email is back with new tricks

by
Dan Goodin
from Ars Technica - All content on (#69RYZ)
email-notification-800x534.jpg

Enlarge (credit: Getty Images)

Widely regarded as one of the Internet's top threats, the Emotet botnet has returned after a months-long hiatus-and it has some new tricks.

Last week, Emotet appeared for the first time this year after a four-month hiatus. It returned with its trademark activity-a wave of malicious spam messages that appear to come from a known contact, address the recipient by name, and seem to be replying to an existing email thread. When Emotet has returned from previous breaks, it has brought new techniques designed to evade endpoint security products and to trick users into clicking on links or enabling dangerous macros in attached Microsoft Office documents. Last week's resumption of activity was no different.

A malicious email sent last Tuesday, for instance, attached a Word document that had a massive amount of extraneous data added to the end. As a result, the file was more than 500MB in size, big enough to prevent some security products from being able to scan the contents. This technique, known as binary padding or file pumping, works by adding zeros to the end of the document. In the event someone is tricked into enabling the macro, the malicious Windows DLL file that's delivered is also pumped, causing it to mushroom from 616kB to 548.1MB, researchers from security firm Trend Micro said on Monday.

Read 7 remaining paragraphs | Comments

External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments