Emotet, the seemingly ubiquitous banking trojan, has turned up again after a small hiatus, this time as the anchor in a Thanksgiving-themed campaign that cranked up in the U.S. this week.
It has also upgraded its capabilities with new tactics and modules, which has boosted its efficacy, according to researchers.
Looking to take advantage of a nation preparing for a collective food coma, the cybercriminals behind the campaign have so far sent out 27,000 or so messages daily, with verbiage that marks a departure from the standard financial themes regularly seen used as phishing lures by the group.
The messages are seemingly full of holiday spirit: “In this season of thankfulness, we are especially grateful to you, who have worked so hard to built the success of our company. Wishing you and your family a Thanksgiving full of blessings.”
Then, “Thanksgiving Day Card below.”
The “card,” of course, is anything but something to give thanks for. It’s actually a document with embedded macros leading to a PowerShell downloader for the Emotet payload, which acts as a dropper for other payloads in addition to its banking trojan capabilities. If you click on the document the attack is launched.
Forcepoint researchers found that the document is not the usual .doc or .docx typically seen in Emotet campaigns, but rather an XML file masquerading as a .doc. The macro in this instance makes use of the Shapes feature, ultimately leading to the calling of the shell function.
The macro, too, has been recently evolved from the typical Emotet pattern, with upgraded macro obfuscation and formatting.
“The Emotet crew have quite thoughtfully included some cheerful Thanksgiving words in the emails,” said researchers from Forcepoint, in a posting Tuesday on the campaign. “In the few weeks since Emotet returned it has undergone some interesting changes, most notably in the new Thanksgiving theme and macro obfuscation.”
When the macro calls the shell function (using a WindowStyle of vbHide), the output is a heavily obfuscated command. When deobfucscated, the above command reveals the standard PowerShell downloader normally observed with Emotet.
“Whilst not completely novel … it does pose a challenge to defenders due to the sheer volume of emails sent, as detection signatures need to be rapidly created to stem the onrushing tide,” the Forcepoint team noted.
The research dovetails with that of Cofense Intelligence, which last week saw Emotet-laden emails spoofing major U.S. financial institutions, with the malware sporting upgraded capabilities.
“After a month-long hiatus, [Emotet returned in early November] with upgrades to its spamming module, supplementing existing capabilities – namely contact list and signature block theft – with functionality enabling the theft of up to 16KB of raw emails and threads,” the Cofense team said, in a posting Monday.
The researchers, which call Emotet by its alias, Geodo, also said the updates – including the previously reported ability to lift up to 180 days’ worth of email content at once from a single target – have allowed the threat actors to expand their money-making tactics. “Although the exact reason for this module upgrade was unclear, Cofense Intelligence assessed it would either be used to bolster the actors’ social engineering efforts, using the stolen data to refine Geodo phishing templates, or for direct revenue generation – selling the raw message content to the highest bidder,” they said.
Cofense also said that since Nov. 13, it has seen 20,000 credentials added to the list of credentials used by the Emotet clients each week, along with millions upon millions of recipients. This indicates the success of the updates.
“The introduction of this new module has had clear and dramatic effects on the sophistication and efficacy of this social engineering effort,” the team said. “This most recent campaign demonstrated a