After a short break, Emotet malware has been observed concealed in documents delivered through emails that pretended to be from financial institutions or disguised as Thanksgiving-themed greetings for employees.
In early October, Emotet activity dropped off the radar, only to come back towards the end of the month with a new plugin that exfiltrates email subjects and 16KB of the bodies.
The new functionality could be used to create better phishing templates, which seems to be the case with the latest campaigns.
Provider of phishing defense solutions Cofense, formerly PhishMe, noticed new Emotet-related activity on November 13. The malware piece came via elaborate phishing messages that spoofed "a known and trusted organization."
What stood out in the messages were legitimate links that used Proofpoint's URL Defense, a scanning service that redirects the URL to Proofpoint servers for verification when the user clicks on it; these links have a specific structure, visible when you hover over them and add to the deception. They have probably been stolen with the new email-scraping module from a compromised user.
According to Cofense, the emails came with a Word document embedded with malicious macro code. Once executed, the code downloaded and ran Emotet on the system. The malware is not the final payload, though, as it acts as a downloader for a different one. In this case, it was IcedID, a banking trojan that emerged a year ago, focused on investment and financial institutions as well as several bank holding companies.
As far as Emotet is concerned, the security company says that it keeps on growing, with "at least 20,000 credentials added to the list of credentials used by the botnet clients each week along with millions upon millions of recipients."
Cofense noticed a drastic improvement of the social engineering tricks in the latest campaign and attributes this to the newly added email scraping module.
Emotet has been part of another campaign that started on November 19 and delivered over 27,000 emails in a less than ten hours, between 07:30 and 17:00.
Although the operation follows the usual pattern, the odd part is the Thanksgiving message theme, in contrast with the regular financial lures. The mail subjects refer to Thanksgiving cards, greetings, congratulations and messages and some of them include the victim's name.
Cybersecurity company Forcepoint tracking this activity says in a blog post today that the malicious document delivering Emotet was not a Word file, but an XML pretending to be a DOC.
This technique offers better obfuscation of the macro code with the commands responsible for retrieving the payload.
Deobfuscation shows that the threat actors used the standard PowerShell downloader typically seen with Emotet.