Emotet Returns with Thanksgiving Theme and Better Phishing Tricks

December 10, 2018
Emotet Returns with Thanksgiving Theme and Better Phishing Tricks

After a short break, Emotet malware has been watched covered in reports conveyed through messages that pretended to be from financial institutions or masked as Thanksgiving-themed greetings for employees.

Toward the beginning of October, Emotet movement dropped off the radar, just to return towards the month’s end with new plugin that exfiltrates email subjects and 16KB of the bodies.
The new functionality could be utilized to make better phishing templates, which is by all accounts the case with the most recent campaigns.

Provider of phishing defense solutions Cofense, formerly PhishMe, saw new Emotet-related movement on November 13. The malware piece came by means of expand phishing messages that spoofed “a known and trusted organization.”

What emerged in the messages were genuine connections that utilized Proofpoint’s URL Defense, a scanning services that diverts the URL to Proofpoint servers for confirmation when the client taps on it; these connections have a particular structure, obvious when you drift over them and add to the trickiness. They have most likely been stolen with the new email-scraping module from a traded off client.


Emotet isn’t the last payload

 As indicated by Cofense, the messages accompanied a Word document embedded with malevolent macro code. When executed, the code downloaded and ran Emotet on the system. The malware isn’t the last payload, however, as it goes about as a downloader for an alternate one. For this situation, it was IcedID, a banking trojan that rose a year prior, concentrated on speculation and monetary establishments and also a few bank holding organizations.

To the extent Emotet is concerned, the security organization says that it continues developing, with “no less than 20,000 qualifications added to the rundown of certifications utilized by the botnet customers every week alongside tons of recipients”

Cofense saw an extraordinary enhancement of the social engineering traps in the most recent battle and credits this to the recently included email scraping module.

Emotet’s Thanksgiving draw

Emotet has been a piece of another campaign that began on November 19 and conveyed more than 27,000 messages in an under ten hours, somewhere in the range of 07:30 and 17:00.

Despite the fact that the task pursues the typical example, the odd part is the Thanksgiving message theme, conversely with the standard money related baits. The mail subjects allude to Thanksgiving cards, greetings, congratulations and messages and some of them incorporate the victim’s name.

Cybersecurity organization Forcepoint following this action says in a blog entry today that the malignant report conveying Emotet was not a Word document, but rather a XML pretending to be a DOC.


This strategy offers better cover-up of the macro code with the commands in charge of recovering the payload
This strategy offers better cover-up of the macro code with the commands in charge of recovering the payload


Deobfuscation demonstrates that the threat actor utilized the standard PowerShell downloader ordinarily observed with Emotet.

About the author

Leave a Reply