Catching Up With Emotet

Fortinet reviewed activity from Emotet campaigns through the delivery of malicious documents using a variety of attack techniques. Since the malware's reemergence in November 202, it has been highly active. However, activity has slightly tapered potentially due to Microsoft disabling Excel 4.0 macro by default in January 2022. Analysis of five malicious document samples has identified the use of Excel or a Word document containing either malicious VBA macro or Excel 4.0 macro to deliver Emotet. The execution following the malware typically utilizes wscript, PowerShell, or Mshta to download the Emotet payload. Following its download, the malware would be executed with rundll32 or regsvr32.