Emotet, the nefarious banking trojan that evolved into a downloader, is active again just days before Christmas. The attackers are already known for using various local events and incidents to lure their victims into clicking on malicious attachments. Recently they have been observed loading their payload as a DLL with a fake error message.
What has been discovered?
Many of the malicious emails used by the Emotet group were using Christmas-themed and COVID-19 vaccine-related lure.
- This recent spam campaign started in mid-December and it could lead to compromised business networks, as people are still working from home.
- More than 100k+ messages in English, German, Spanish, Italian, and other languages have been discovered. Lures are using thread hijacking with PW-protected zips, Word attachments, and URLs.
- Emotet has worm-like features that enable network-wide infections. In addition, the trojan now uses modular DLL to regularly update and evolve its capabilities.
- Proofpoint issued alerts on Twitter on December 21 that showed a screenshot of the social engineering trick fooling recipients into turning off a Microsoft 365 feature that blocks malicious documents.
Holiday season as an opportunity
Cybercriminals often try to cash-in on all possible opportunities and take advantage of the holiday season.
- Two weeks ago, an ongoing Christmas-themed spam campaign was found using a malicious file detected as TROJ_ARTIEF.RTN.
- Last month, a massive Zoom phishing email campaign was found targeting Thanksgiving meetings.
Holiday seasons are considered as an opportunity for cybercriminals to launch new attacks when many organizations have limited staff. Thus, experts urge organizations to be especially vigilant and avoid clicking on suspicious emails.