Emotet operators are running Halloween-themed campaigns

Pierluigi Paganini October 31, 2020

Crooks behind Emotet malware attempt to take advantage of the Halloween festivity, a new campaign could invite you to a Halloween party.

Threat actors are attempting to take advantage of the Halloween festivities, a recent Emotet malware campaign spotted by BleepingComputer employed spam emails that invite recipients to a Halloween party.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. In the middle-August, the malware was employed in fresh COVID19-themed spam campaign

Recent spam campaigns used messages with malicious Word documents, or links to them, pretending to be an invoice, shipping information, COVID-19 information, resumes, financial documents, or scanned documents.

The infamous banking trojan is also used to deliver other malicious code, such as Trickbot and QBot trojan or ransomware such as Conti (TrickBot) or ProLock (QBot).

Emotet is a modular malware, its operators could develop new Dynamic Link Libraries to update its capabilities.

Recently, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert to warn of a surge of Emotet attacks that have targeted multiple state and local governments in the U.S. since August.

During that time, the agency’s EINSTEIN Intrusion Detection System has detected roughly 16,000 alerts related to Emotet activity.

In a recent campaign observed on October 14th, the attackers are using multiple lures, including invoices, purchase orders, shipping information, COVID-19 information, and information about President Trump’s health.

The spam messages come with malicious Word (.doc) attachments or include links to download the bait document.

Now experts warn of Emotet campaigns that are playing a Halloween trick, the spam messages attempt to trick the victims into opening a weaponized attachment by inviting them to a Hallowing party.

“The Emotet malware gang has created an email that pretends to invite you to a Halloween party to trick you into opening the malicious attachment.” reported Bleeping Computer.

According to the experts, threat actors are using unique subjects like Happy Halloween, Halloween Party, Halloween party invitation, Halloween invitation, Party tonight, etc..

The malicious files used in this campaign have different names, such as Inviting friends to your Halloween Extravaganza.doc, Halloween Pot Luck 10.31.doc, Halloween.doc, Halloween party invitation.doc, and Halloween party.doc

Emotet Spam Hallowen spam-email
Source Bleeping Computer

Researchers from Microsoft Security Intelligence are also warning of the ongoing Halloween-themed Emotet campaign.

An example of the text found in the spam emails is

Dear, 
Trick or Treat?
Details in the attachment.
Mail: XXXXXXXXX

Upon opening the attachment, they will invite the recipient to “Enable Editing” and “Enable Content” button, then it will install the Emotet Trojan on the computer. 

The template used in the Halloween Emotet campaign asks recipients to upgrade their Microsoft Word version by enabling the content.

The suggestion is to avoid opening any attachment coming with an email inviting you to a Halloween party.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Emotet)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment