Cofense Labs have detected phishing emails sent by the Emotet botnet, with typical subject lines such as “Christmas” or “Christmas Party” aiming to appear as legitimate by jumping onto seasonal trends for these kinds of internal emails.
One particular phishing email posted to Twitter by the vendor read: “I have attached the menu for the Christmas Party next week. If you would like bring something, look at the list and let me know. Don’t forget to get your donations in for the money tree. Also, wear your tackiest/ugliest Christmas sweater to the party.”
A simple disguise
These emails usually come with Malicious Word documents with names such as “party menu”, requiring the user to “enable editing” in order to view the document. However, clicking this button will instead execute embedded macros to install the Emotet Trojan. Once installed, this could allow various groups to attempt ransomware downloads, more spam and phishing emails.
Similar to TrickBot, Emotet was originally designed as a banking Trojan. Over time, it was re-written to function as a malware loader. Those who operate it sell access for clients to use it as a malware distribution network.
According to Malwarebytes, Emotet malware was detected and removed more than 1.5 million times between January and September in 2018. In July of that year, the threat took such a serious turn that the US-CERT had to release an alert regarding Emotet and its capabilities.
A Christmas phishing tradition
And this is not the first time Christmas phishing lures have been used. In 2018, Trend Micro warned of a similar campaign targeting users in the UK and urged them to automatically disable macros in their security settings.
Whitehall Media’s prestigious biannual 12th ESRM conference is set to discuss how enterprises are increasing awareness from the board down, adopting effective incidence response planning, adding threat analytics to their security response and investigating security events with robust incident forensics.