The Emotet botnet recently introduced a new technique to infect end users. Emotet uses a malicious MS Word template received through attachment that pretends to be a Microsoft Office Activation Wizard. Actors behind Emotet will use malicious Word document templates that are designed to trick recipients into enabling macros in the document and, as soon as macros are enabled, VBA code will be executed that downloads and installs the Emotet Trojan and possibly other malware onto the recipient’s computer.

While the spam emails are still using a mix of reply-chain and direct emails pretending to be fake invoices, order confirmations, payment confirmations, and shipping issues, they have now switched to a new document template that pretends to be a Microsoft  Office Activation Wizard.

According to security researcher ps66uk, once the user clicks the button in template, document macros will launch a PowerShell command to initiate connection to a remote site, download the Emotet Trojan to the victim’s machine and executes it. Once compromised, the Emotet Trojan will send out spam emails to the victim’s contact lists and will also download other malware to the victim’s machine.