The attachment is an XML file masquerading as a .doc with embedded macros leading to a standard PowerShell downloader normally observed with Emotet banking Trojan, which is also used by crooks to drop other payloads.
Pierluigi Paganini
November 23, 2018
Security researchers from Forcepoint have observed a new Emotet Thanksgiving-themed campaign that appears quite different from previous ones.
EMOTET, aka Geodo, is a banking trojan linked to the dreaded Dridex and Feodo (Cridex, Bugat) malware families.
In past campaigns, EMOTET was used by crooks to steal banking credentials and as a malicious payload downloader.
According to the experts, the Thanksgiving-themed campaign targeted U.S. users this week.
“After a hiatus of some weeks, we observed Emotet returning in mid-November with upgraded macro obfuscation and formatting. On 19 November, it began a US-centric Thanksgiving-themed campaign. As many will know this is a departure from the standard financial themes regularly seen.” reads the analysis published by Forcepoint.
The new campaign leverages an improved variant of the malware that implements new features and modules, experts pointed out that this is the first campaign that doesn’t use financial themes.
The crooks behind the recent Emotet campaign sent out roughly 27,000 messages daily, below a sample of the Thanksgiving-themed message:
The attachment is an XML file masquerading as a .doc with embedded macros leading to a standard PowerShell downloader normally observed with Emotet banking Trojan, which is also used by crooks to drop other payloads.
“However, the document in this case is not the usual .doc or .docx but rather an XML file masquerading as a .doc, and the macro in this instance makes use of the Shapes feature, ultimately leading to the calling of the shell function using a WindowStyle of vbHide.” continues the expert.
The macro has been recently evolved from the Emotet pattern, in implements upgraded macro obfuscation and formatting.
“In the few weeks since Emotet returned it has undergone some interesting changes, most notably in the new Thanksgiving theme and macro obfuscation discussed previously.” concludes Forcepoint.
“Whilst not completely novel (use of XML files to conceal macros was reported by Trustwave back in 2015) it does pose a challenge to defenders due to the sheer volume of emails sent, as detection signatures need to be rapidly created to stem the onrushing tide.”
Further details, including IoCs are reported in the analysis published by the experts.
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – banking trojan, spam)
[adrotate banner=”5″]
[adrotate banner=”13″]
