McAfee observed an increase in activity in a Trojan downloader dubbed “Emotet” that spreads by emails used to trick victims into downloading a number of malicious payloads to include ransomware, Dridex, Trickbot, Pinkslipbot, and other banking Trojans.
According to the McAfee report, the phishing emails contain Word documents that contain macros used to then download the payloads.
The macro code uses a combination of command line, wmic and PowerShell scripts to copy code to disk, as well as create a service used to contact its control server for a download URL.
McAfee spotted a wave of new attacks in early December that was part of a malicious campaign spreading the ransomware family HydraCrypt.
Samples from the campaign appear to be similar to characteristics used by Emotet attackers.
McAfee further warned that Emotet collects information about the victim’s computer (such as running processes) and sends encrypted data to the control server using a POST request.