New Emotet Thanksgiving campaign differs from previous ones

Researchers from Forcepoint observed a new Emotet Thanksgiving-themed campaign that appears quite different from previous ones.

Security researchers from Forcepoint have observed a new Emotet Thanksgiving-themed campaign that appears quite different from previous ones.

EMOTET, aka Geodo, is a banking trojan linked to the dreaded Dridex and Feodo (Cridex, Bugat) malware families.

In past campaigns, EMOTET was used by crooks to steal banking credentials and as a malicious payload downloader.

According to the experts, the Thanksgiving-themed campaign targeted U.S. users this week.

“After a hiatus of some weeks, we observed Emotet returning in mid-November with upgraded macro obfuscation and formatting. On 19 November, it began a US-centric Thanksgiving-themed campaign. As many will know this is a departure from the standard financial themes regularly seen.” reads the analysis published by Forcepoint.

The new campaign leverages an improved variant of the malware that implements new features and modules, experts pointed out that this is the first campaign that doesn’t use financial themes.

The crooks behind the recent Emotet campaign sent out roughly 27,000 messages daily, below a sample of the Thanksgiving-themed message:

The attachment is an XML file masquerading as a .doc with embedded macros leading to a standard PowerShell downloader normally observed with Emotet banking Trojan, which is also used by crooks to drop other payloads.

“However, the document in this case is not the usual .doc or .docx but rather an XML file masquerading as a .doc, and the macro in this instance makes use of the Shapes feature, ultimately leading to the calling of the shell function using a WindowStyle of vbHide.” continues the expert.

The macro has been recently evolved from the Emotet pattern, in implements upgraded macro obfuscation and formatting.

“In the few weeks since Emotet returned it has undergone some interesting changes, most notably in the new Thanksgiving theme and macro obfuscation discussed previously.” concludes Forcepoint.

“Whilst not completely novel (use of XML files to conceal macros was reported by Trustwave back in 2015) it does pose a challenge to defenders due to the sheer volume of emails sent, as detection signatures need to be rapidly created to stem the onrushing tide.”

Further details, including IoCs are reported in the analysis published by the experts.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – banking trojan, spam)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.