Last Thurs., 100s of US organisations were targeted by an Emotet spear-phishing campaign, which sent 1,000s of emails purporting to be from the Democratic National Committee (DNC), & recruiting potential Democratic volunteers, in a new politically charged attack.
Emotet has historically utilised a variety of lure themes leveraging current events – from COVID-19 to Greta Thunberg. However, the threat player behind the malware, TA542, has not directly used political themes in their messaging before.
That changed with Thurs’s email campaign, which featured Word Document attachments labelled “Team Blue Take Action,” which actually infected victims with Emotet.
Politically Themed Lures
“The shift to using politically themed lures comes days after the 1st of several 2020 US presidential debates,” observed researchers with Proofpoint in a Thurs. post. “The debate received widespread media coverage, & as Election Day draws nearer, many voters are likely feeling compelled to volunteer for political causes or for the election in some way.”
The email messages had the subject line “Team Blue Take Action,” with a message body taken directly from a page on the Democratic National Committee’s (DNC) website (democrats.org/team-blue) commented researchers.
This message body describes Team Blue, which is the DNC’s 2018 volunteer recruitment program, & says that Team Blue is being relaunched for the 2020 campaign. The email then asks the recipient to open the attached document.
This Word Document contains macros, which, if enabled, will down-load & install Emotet. Currently, researchers explained they are also seeing a 2nd stage payload following Emotet infections within this campaign, which either come in the form of the Qbot trojan or The Trick.
Beyond the email subject line “Team Blue Take Action,” researchers also observed other subject lines, including “Valanters 2020,” “List of Works” & more, with varying file names such as “Detailed information.doc” & “Volunteer.doc.”
Although disinformation is a key concern for many as the Nov. US presidential elections draw close, researchers believe that this lure was simply used to convince as many voters as possible, fired-up after Tues. evening’s debate, to click.
“It’s unlikely that this shift is driven by any specific political ideology,” they commented. “Like earlier use of COVID-19 or Greta Thunberg lure themes, TA542 is attempting to reach as many intended recipients as possible by capitalising on a popular topic.”
Emotet started out as a banking trojan in 2014 & has continually evolved to become a ‘full-service threat-delivery’ mechanism. It can install a collection of malware on victim machines, including information stealers, email harvesters, self-propagation mechanisms & ransomware.
Emotet returned earlier in July after a 5-month break, when researchers saw the malware in a campaign that has spammed Microsoft Office users with 100s of 1,000s of malicious emails since Fri. The malware 1st emerged in 2014, but has since then evolved into a fully-fledged botnet that’s designed to steal account credentials & download further malware.
Emotet was last seen in Feb. 2020, in a campaign that sent SMS messages purporting to be from victims’ banks, when victims clicked on the links in the text messages, they are asked to hand over their banking credentials & download a file that infects their systems with the Emotet malware.
Also in Feb., researchers uncovered an Emotet malware sample with the ability to spread to insecure Wi-Fi networks that are located nearby to an infected device.