The Emotet malware is back in active campaigns, security researchers warned. Apparently, the malware is hiding in documents in spam messages that pretend to be sent from financial institutions, or masqueraded as Thanksgiving greetings for employees.
The last time we wrote about Emotet was a year ago, in November 2017, when the banking Trojan was updated to include a dangerous component which caused serious concerns among the security community – extracting data even over secured connections.
The files could be easily sent using the most popular infection methods. The new reported attacks once again prove thatEmotet remains one of the most popular payloads, and that its operators are always looking for new infection methods.
Emotet New Phishing Functionality
The Emotet malware became active at the end of October this year. That is when a new plugin that exfiltrated email subjects and 16KB of the email bodies was detected. This functionality is currently used to improve phishing templates.
The Thanksgiving Phishing Scam
Forcepoint researchers detected a thoughtfully crafted email which included “some cheerful Thanksgiving words”. As reported, this email saw volumes exceeding 27,000 in the period between 07.30 EST and 17:00 EST in a single day. This is what the email body says:
In this season of thankfulness, we are especially grateful to you, who have worked so hard to build and create the success of our company. Wishing you and your family a Thanksgiving full of blessings.
Thanksgiving Day Card below.
The document in the email was in fact an XML file pretending to be a .doc file. It expectedly had embedded macros leading to a PowerShell downloader for the Emotet payload. However, it should be noted that:
the document in this case is not the usual .doc or .docx but rather an XML file masquerading as a .doc, and the macro in this instance makes use of the Shapes feature, ultimately leading to the calling of the shell function using a WindowStyle of vbHide. The syntax for the shell function is Shell( pathname, [ windowstyle ] ) where pathname can be a program or script.
The resultant output is a heavily obfuscated command. When deobfucscated, the command revealed the standard PowerShell downloader routinely observed in Emotet campaigns, the researchers added.