Emotet reemerges after its hiatus with new Thanksgiving campaign

• The new campaign sees Emotet’s operators imitating major US financial organizations to trick victims.
• After a month-long hiatus, Emotet is back with new phishing tricks.

After a month-long hiatus, the prolific Emotet banking malware is back with a new Thanksgiving-themed campaign and new phishing tricks. The new campaign began on November 6. The malware was found using previously stolen to boost its social engineering efforts - all in order to generate revenue.

The malware’s new capabilities allow it to steal email contact lists and around 16KB of the emails’ bodies. The new campaign used lures that purported to come from trusted organizations. The phishing emails delivering Emotet also contained legitimate links that used Proofpoint’s URL Defense - a scanning service.

As observed in previous campaigns, Emotet now functions as a downloader as well as banking malware. In the most recent campaign, the malware also downloaded the IcedID malware.

“IcedID shares some basic behavior with TrickBot—another prolific banking trojan turned multipurpose botnet,” security researchers at Cofense, who discovered the new campaign, said in a report. “However, IcedID targets both investment and financial institutions as well as several bank holding companies many of which even TrickBot does not target, as TrickBot is much less focused on investment banks or smaller US commercial banks.”

The researchers found that Emotet added 20,000 credentials to its list of growing credentials. Cofense researchers said that the new campaign highlights a “shocking improvement” from previous upgrades. The new inclusion of Proofpoint URLs included in the phishing email offers users a false sense of security.

According to Forcepoint researchers, Emotet began its Thanksgiving-themed campaign on November 19.

“In the few weeks since Emotet returned it has undergone some interesting changes, most notably in the new Thanksgiving theme and macro obfuscation discussed previously,” Forcepoint researchers said in a report. “Whilst not completely novel, it does pose a challenge to defenders due to the sheer volume of emails sent, as detection signatures need to be rapidly created to stem the onrushing tide.”