After several months of inactivity, the Emotet botnet resumed email activity this morning at 8:00am EST. The malicious emails seem to be replying to already existing email chains, with the addition of an attached .zip file. The .zip files are not password protected. The themes of the attached files include finances and invoices.
The .zip files attached to these recent Emotet emails contain an Office Document with macros. Once opened, the user is prompted to “Enable Content”, which will allow the malicious macros to run. The macros will download an Emotet .dll from an external site and execute it locally on the machine.