A Poisoned Gift for Thanksgiving Day: Emotet Comes in a New Disguise to Break into Your Bank Account

Cybercriminals fond of celebration dates like Thanksgiving Day — but not for the same reason that upstanding people do. For the perpetrators, it’s the favorite time to attack. Why? Because people are tuned on pleasant and good thoughts and feelings on such days. Unfortunately, it makes them more vulnerable. When they see a greeting letter in the inboxes, they feel gratitude and curiosity — who sent it?—and click on the attached file without thinking about potential danger.

On the eve of this Thanksgiving day Comodo specialists intercepted a cunning attack aimed at propagating one of the currently most nefarious malware – Emotet trojan, usually used for stealing banking credentials and other private information.

Usually this malware spread mostly as a finance-related email like a message from a bank. Here is an example of such email intercepted by Comodo facilities.

As you can see, the attackers used well-prepared fake able to deceive even security aware user. The link in the email leads to “rozdroza.com/En_us/Clients_Messages/11_18” URL. If a user clicks the link, the poisoned Microsoft Office document file automatically drops on her machine.

But on the eve of the Thanksgiving day the perpetrators decided to make something special and disguise the infected file as a greeting card. Below are the samples of the phishing emails they are using in the new attack.

As you can see, these emails are also carefully worked out to look plausible. They have different content but in every case it’s build to inspire pleasant and warm emotions in the victims. Be it a hearty greeting, admiration of a colleague or even a piece of poetry, it arouses a good mood in the victims, thus weakening their vigilance.

The quotes of great people at the bottom of the messages also used to inspire trust in the victims, raising chances they will open the document – and let the enemy in the house. In reality, the “greeting card” is a Word document infected with Emotet.

Let’s look at the whole killing chain of this cunning malware.

The infected file has embedded Macro script. When a user opens a “greeting card”, the macros downloads Emotet on the victim’s machine.  

First, the user is instructed to enable the execution of Macro content as the document contains a VBA stream designed to download and execute the malware.

If the user allows the active content to run, the code will call cmd.exe with modified parameters that will again call cmd.exe with obfuscated parameters that, finally, pass a script to powershell.exe designed to download and run binaries from the internet.

The obfuscated parameters used to launch cmd.exe are stored in a textbox that is resized to be unnoticeable for the victim.

After that, the script probes five locations to download Emotet: anora71.uz/aH3i9EM, egyptmotours.com/EfRRkqPucD, friskyeliquid.com/xspcYyA63, m3produtora.com/QOlBVnrL40, litsey4.ru/V5XLXxDubY.

Then it downloads the malware to the user’s Temporary folder and executes it. Emotet moves itself to C:\Windows\SysWOW64\cachingplain.exe and creates a service to run during system startup.

The newly created service connects to the C&C server to notify availability and receive commands.

From this moment, the infected machine is under total control of the attackers. They can extract the users’ credential, banking and other private information from the PC and continue the attack by downloading other types of malware.

“The attack is a complicated poisoned merge of refined well-disguised malware and psychological manipulation tricks”, says Fatih Orhan, The Head of Comodo Threat Research Labs. “It’s not only dangerous and destroying from the technical point of view but especially cynic and immoral because of exploiting peoples’ bright feelings in a grand holiday. It’s always bad to be robbed but it’s much worse to be robbed in such a great holiday and aware that perpetrators used your own bright feelings against you. I’m really glad we protected our customers from these painful consequences and didn’t let the perpetrators spoil a celebration of such a grand day”.

The heatmap and details of the attack

The attack started on November 19, 2018 at 18:34:12 and was continuing at the moment of creating this article. It was conducted from 26 IPs of 10 countries. 108 phishing emails are discovered for the moment and supposedly, the attack will reach its peak on Thanksgiving day.

The countries involved in the attack and number of emails sent per country

The heatmap

Live secure with Comodo!