A Poisoned Gift for Thanksgiving Day: Emotet Comes in a New Disguise to Break into Your Bank Account

save
Share and earn Cybytes
Facebook Twitter Google+ LinkedIn Email

Cybercriminals fond of celebration dates like Thanksgiving Day — but not for the same reason that upstanding people do. For the perpetrators, it’s the favorite time to attack. Why? Because people are tuned on pleasant and good thoughts and feelings on such days. Unfortunately, it makes them more vulnerable. When they see a greeting letter in the inboxes, they feel gratitude and curiosity — who sent it?—and click on the attached file without thinking about potential danger.

On the eve of this Thanksgiving day Comodo specialists intercepted a cunning attack aimed at propagating one of the currently most nefarious malware – Emotet trojan, usually used for stealing banking credentials and other private information.

Usually this malware spread mostly as a finance-related email like a message from a bank. Here is an example of such email intercepted by Comodo facilities.

Bill-Pay-Alert

As you can see, the attackers used well-prepared fake able to deceive even security aware user. The link in the email leads to “rozdroza.com/En_us/Clients_Messages/11_18” URL. If a user clicks the link, the poisoned Microsoft Office document file automatically drops on her machine.

But on the eve of the Thanksgiving day the perpetrators decided to make something special and disguise the infected file as a greeting card. Below are the samples of the phishing emails they are using in the new attack.

Thanksgivingday-congradulation

 

Thanksgivingday-Greeting_Card

As you can see, these emails are also carefully worked out to look plausible. They have different content but in every case it’s build to inspire pleasant and warm emotions in the victims. Be it a hearty greeting, admiration of a colleague or even a piece of poetry, it arouses a good mood in the victims, thus weakening their vigilance.

The quotes of great people at the bottom of the messages also used to inspire trust in the victims, raising chances they will open the document – and let the enemy in the house. In reality, the “greeting card” is a Word document infected with Emotet.

Let’s look at the whole killing chain of this cunning malware.

The infected file has embedded Macro script. When a user opens a “greeting card”, the macros downloads Emotet on the victim’s machine.  

First, the user is instructed to enable the execution of Macro content as the document contains a VBA stream designed to download and execute the malware.

Office-365

 

Auto-Open

If the user allows the active content to run, the code will call cmd.exe with modified parameters that will again call cmd.exe with obfuscated parameters that, finally, pass a script to powershell.exe designed to download and run binaries from the internet.

The obfuscated parameters used to launch cmd.exe are stored in a textbox that is resized to be unnoticeable for the victim.

Command-Box

 

Explorer-window

After that, the script probes five locations to download Emotet: anora71.uz/aH3i9EM, egyptmotours.com/EfRRkqPucD, friskyeliquid.com/xspcYyA63, m3produtora.com/QOlBVnrL40, litsey4.ru/V5XLXxDubY.

Then it downloads the malware to the user’s Temporary folder and executes it. Emotet moves itself to C:WindowsSysWOW64cachingplain.exe and creates a service to run during system startup.

Parameters

 

Create-Service

The newly created service connects to the C&C server to notify availability and receive commands.

From this moment, the infected machine is under total control of the attackers. They can extract the users’ credential, banking and other private information from the PC and continue the attack by downloading other types of malware.

Frame-Summary

“The attack is a complicated poisoned merge of refined well-disguised malware and psychological manipulation tricks”, says Fatih Orhan, The Head of Comodo Threat Research Labs. “It’s not only dangerous and destroying from the technical point of view but especially cynic and immoral because of exploiting peoples’ bright feelings in a grand holiday. It’s always bad to be robbed but it’s much worse to be robbed in such a great holiday and aware that perpetrators used your own bright feelings against you. I’m really glad we protected our customers from these painful consequences and didn’t let the perpetrators spoil a celebration of such a grand day”.

 

The heatmap and details of the attack

The attack started on November 19, 2018 at 18:34:12 and was continuing at the moment of creating this article. It was conducted from 26 IPs of 10 countries. 108 phishing emails are discovered for the moment and supposedly, the attack will reach its peak on Thanksgiving day.

 

The countries involved in the attack and number of emails sent per country

table-data

The heatmap

Map-Locations

Live secure with Comodo!

The post A Poisoned Gift for Thanksgiving Day: Emotet Comes in a New Disguise to Break into Your Bank Account appeared first on Comodo News and Internet Security Information.

Share this post and earn Cybytes
Facebook Twitter Google+ LinkedIn Email
Follow
1 Followers
About Comodo
Comodo Cybersecurity is a global innovator of cybersecurity solutions, and a division of Comodo Security Solutions Inc. For over 20 years, Comodo Cybersecurity has been at the forefront of successfully protecting the most sensitive data; and today, we deliver an innovative cybersecurity platform that renders threats useless across the LAN, Web & Cloud. Comodo Cybersecurity’s ongoing mission is to protect what matters most, while enabling businesses and customers to confidently accept risk in a world where preventing all attacks is impossible.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel