Emotet malware: Greta Thunberg as a lure

RapidVPN/ March 13, 2020/ Blog/

By the end of 2019, Emotet has started a new spam campaign that is luring people by using the popularity of environmental activist Greta Thunberg and her dedication to the climate movement. It seems that the users who think that they are being noted with the info about an upcoming “climate crisis” sort of demonstration, will instead find that they have become infected with Emotet.

This malware spreading spams usually arrive with the email subject lines that say: Please help save the planet, Support Greta Thunberg, Demonstration, etc. In this way, a person is lured to join an upcoming demonstration.

However, what the people do not notice is that the time and place of the alleged demonstration aren’t in the body of the email. For them to find out more, people need to open a Word document that’s linked to the email or attached to it, or some email does not have an attached file, but there is a link at which a person could download the file.

As we already know, Emotet is a widespread malware family that seems to have evolved to fill a very specific cybercrime niche: delivering malware for other crooks. Emotet has evolved from a Trojan that silently steals victims’ banking credentials into a highly sophisticated and widely deployed platform that distributes different kinds of malware, most usually the other kinds of banking Trojan.

It seems that the Emotet gang, which at first used to steal people’s banking credentials, realized that they could make a living directly by providing a malware distribution system and using their malware. 

If a person opens one of those infected attachments, they will see what looks like an innocent-looking system warning, from Word itself. But they should not be fooled! That “warning” is just an image that is inserted into the document to trick a person into bypassing Word’s default security setting of blocking the active content. If you enable content then macro code that is inside Word file will run a Powershell command that will go online to find whatever malware that comes next – and it would probably be Emotet.

The final malware seems to differ by a person’s geolocation and even by what type of computer you’ve got. If a computer is, for example, Mac, that it would try to hit it with Mac-specific malware instead of just sending a Windows program that won’t be going to run at all.

What to do?

First of all, nobody should open the attachments they didn’t ask for or expect. If this were a true invitation, then the time and location would be just in plain view in the body of the email itself, it would not be hidden in an unwanted attachment.

Secondly, you should not turn off the security features just because some document says you so. There is a reason why Microsoft selected Disable content, in order to protect you from dangerous documents.

Then, a good solution is to look for anti-virus that has behavior-blocking and web-filtering as well as plain file scanning. This multi-step approach that is used by malware can be blocked on any of the stages then, and the crooks won’t succeed in all of them. Multilayers defense means you win.

The campaign with Emotet using Greta Thunberg as a lure happened during the holidays, actually during the Christmas holidays. The fraudulent emails cite a holiday season demonstration on Christmas Eve, that urged the recipients to demonstrate instead of shop. It reportedly targeted .com and .edu addresses, as well as addresses featuring the top-level domains of Japan, Italy, the United Arab Emirates, Australia, Germany, Canada, and Singapore. Subject lines were observed in Italian, French, Polish, Spanish. It seems that they targeted the young audience since Thunberg has supporters among students and young people.  

The purpose of the campaign was to deliver a banking trojan that continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial governments as well as private and public sectors. For example, Proofpoint has warned on Emotet before, and it has been found on the “O3 Threat Report” that the malware was the dominant player among banking trojans, and the high risk to users – it represented almost 12% of all malicious mail in Q3.

This whole situation is not surprising – malware is usually socially engineered. Nowadays, most of the malware is made to infect the computers by clicking a link or opening an attachment. Since Thunberg has proven to have such universal appeal and interest, it can be thought of as social engineering on a massive scale.

Ever since she received the publicity over her climate change movement and her recent winning of the Time’s “Person of the Year” title, she has been used as a means of luring people. She is a reliable source of public interest and awareness.

It seems that this campaign serves as a reminder that attackers won’t hesitate to target people’s best intentions during the holiday season. But it also serves as a reminder of how important environmental awareness has become and how significant Greta Thunberg is globally. Attackers choose targets by following public interest and awareness.