Emotet, one of the most costly and destructive banking Trojans malware has returned after a short break. The malicious code is typically delivered through documents or URL links within an email. The email is tailored to look legitimate, and the malware is often disguised within an invoice or PDF attachment.
Emotet activity had significantly fallen in early October, but by the end of October had returned with the addition of a plugin that filters email subjects and 16KB of email bodies.
On 13 November, new Emotet activity was spotted by Cofense, a phishing defense solutions company. These emails rely on spoofing of trusted and high ranking companies, causing people to lower their defenses and click the links.
The new wave of emails come with a word document contained within the email. The Word document is embedded with a malicious macro code, which, once executed, downloads and runs Emotet malware.
Once Emotet is downloaded, it downloads another piece of malware onto the device, focused towards a specific aim. In the November 13 find, it was IcedID, a banking trojan that targets investment and financial institutions.
Cofense have reported that Emotet continues to grow and evolve, becoming more sophisticated and malicious. They noted some significant improvements in the social engineering tricks used by Emotet. They also added that “at least 20,000 credentials” have been added to the list of credentials used by Emotet.
A separate campaign that started on November 19 delivered 27,000 emails in less than 10 hours. Emotet is used in this campaign. The emails sent out contain a Thanksgiving message, which is in stark contrast with the usual method of invoices aimed at luring people in with a sense of financial urgency. Some of these emails will be addressed directly to the victim, and contain a Thanksgiving greeting message and a clickable file containing Emotet, masquerading as a Thanksgiving card.