The Emotet authors are popular for capitalizing on trending events and holidays by disseminating customized templates in form of Christmas and Halloween gathering invites, similarly, the malicious gang has started a new campaign taking advantage of the ongoing global pandemic. They are once again spamming corona virus-related emails to U.S businesses.
Earlier this year, in the month of February, the Emotet malware was being spread actively in pandemic ridden countries via COVID-19 themed spam. However, regarding the US businesses, the malware never had the timely chance to attack by exploiting the pandemic, as the virus encapsulated the USA in the month of March. After disappearing in February, Emotet was seen to be back stronger than ever on July 17th, 2020.
Originally designed as a banking malware, Emotet Malware was first discovered by security researchers in the year 2014, but, the threats by Emotet have constantly evolved over the years. It attempts to sneak onto the victim’s system and acquire personal information and sensitive data. Emotet uses worm-like capabilities that help it spreading itself to other connected PCs. With added functionalities to avoid detection by anti-malware software, Emotet has become one of the most expensive and dangerous malware, targeting both governments as well as private sectors. As per recent sources, Emotet also delivers third-party payloads such as IcedID, Qbot, The Trick, and Gootkit.
Emotet has been pushing malspam continually employing the same strategies the authors did in their previous array of attacks. The spam mail consists of an attachment or a link, that on being clicked, launches the Emotet payload. In this particular COVID-19 themed Emotet spam targeting U.S organizations, the malware has been sending an email that appears to be from the ‘California Fire Mechanics’ reaching out with a ‘May Covid-19 update.’ One important thing to note here is that this email is not a template designed by the Emotet authors, but instead, an email stolen from a prior victim and appropriated into the Emotet’s spam campaigns. The malicious attachment linked in this case is titled ‘EG-8777 Medical report COVID-19. Doc’. It makes use of a generic document template that had been used in older campaigns. Once downloaded on the user’s click, the Emotet gets saved to the %UserProfile% folder under a three-digit number (name), such as 745.exe. Upon execution of the same, the user’s computer will become a part of the operation, sending out further infected emails.
While alerting on 17th July, researchers at Microsoft told,“We have so far seen several hundreds of unique attachments and links in tens of thousands of emails in this campaign,”
“The download URLs typically point to compromised websites, characteristic of Emotet operations.” They further wrote.
Emotet expert Joseph Roosen told to BleepingComputer, "So far we have only seen it as part of stolen reply chain emails. We have not seen it as a generic template yet but I am sure it is just around the corner hehe. There was one reply chain I saw yesterday that was sent to 100s of addresses that were referring to the closing of an organization because of COVID-19. I would not be surprised if Ivan is filtering some of those reply chains to focus on ones that are involving COVID-19,"