Threat Signal ReportLatest Emotet Campaign Leverages Likeness of Greta Thunberg
Description
The FortiGuard SE team is aware of a new malicious spam campaign using the likeness of climate activist Greta Thunberg to entice users into opening a malicious Word document. The contents of the email contain an email subject "Demonstration 2019" and within the body contains the following text:
MERRY CHRISTMAS
You can spend Christmas Eve looking for gifts for children. They will tell you Thank you only that day.
But the children will thank you all their lives if you come out for the biggest demonstration in protest against the inaction of the government in connection with the climate crisis.
Support Greta Thunberg - Time Person of the Year 2019
I invite you. Time and address are attached in the attached file.
FORWARD this letter to all colleagues, friends and relatives RIGHT NOW, until you forget!
Many thanks.
Once the victim opens the attached malicious Word document "Support Greta Thunberg.doc", contained within is a malicious macro that invokes PowerShell, which then ultimately downloads a payload from a remote location, which ultimately is Emotet. The sample was discovered by Twitter user @ExecuteMalware today.
What is Emotet?
Emotet was first discovered in 2014 and started out as a "simple" banking Trojan. Simple in quotes, because overtime, Emotet has evolved into a botnet as well and added modularity which has made it not only one of the most destructive, but prevalent and dangerous threats of recent memory. Emotet is deemed to be among the most costly and destructive malware affecting public and private sectors.
Back in November, the FortiGuard SE team released an Emotet blog and a playbook focusing on a specific Emotet attack campaign that FortiGuard SE team has recently observed.
What is the status of AV, IPS and Web Filtering coverage?
FortiGuard Labs has protections in place for this latest campaign and customers running the latest version of definitions are protected by the following AV signature(s):
Support Greta Thunberg.doc:
VBA/Agent.136E!tr.dldr
SHA256:[95375C8F62DF4EC1FEBC6AB8E98E9A33898D26491BF9AF5CA342C37272D25D2E]
Emotet Payload
W32/Emotet.ENKU!tr
SHA256: [8DF050DE064563D606ECE3F5F090621FE9755C765CA79799278862D9BCF37925]
Also the following URI(s) below are blocked by the FortiGuard Web Filtering client:
hxxp://www.textilesunrise[.]com/anjuv/lymjn-kpc564-0052/
hxxp://66.229[.]161.86
Are there any mitigations available?
Since it has been reported that this threat has been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization are made aware of various types of attacks delivered via social engineering. This can be accomplished through regularly occurring training sessions and impromptu tests using predetermined templates by internal security departments within an organization. Simple user awareness training on how to spot emails with malicious attachments or links could help prevent initial access into the network. If user awareness training fails and the user succumbs to opening the attachment or link, FortiClient running the latest up to date antivirus definitions will detect and block files and URI's associated with this latest campaign. FortiMail can also detect and mitigate this threat to prevent initial delivery.
What platforms are affected?
All Windows based platforms with Microsoft Office installed.
Will this run on Apple based platforms?
While the macro will potentially run, the downloaded malware will not, as it is a Windows PE file and platform specific.
Has there been any observed in the wild attacks?
Yes. There have been in the wild attacks have been observed. Spread is unknown at this time but as Emotet has a wide geographic distribution, we can safely state that spread is wide.
MITRE ATT&CK
Spear phishing Attachment
ID: T1193
Tactic: Initial Access
Platform: Windows, macOS, Linux
Data Sources: File monitoring, Packet capture, Network intrusion detection system, Detonation chamber, Email gateway, Mail server
CAPEC ID: CAPEC-163
Version: 1.0
User Execution
ID: T1204
Tactic: Execution
Platform: Linux, Windows, macOS
Permissions Required: User
Data Sources: Anti-virus, Process command-line parameters, Process monitoring
Contributors: Oleg Skulkin, Group-IB
Version: 1.1
PowerShell
ID: T1086
Tactic: Execution
Platform: Windows
Permissions Required: User, Administrator
Data Sources: PowerShell logs, Loaded DLLs, DLL monitoring, Windows Registry, File monitoring, Process monitoring, Process command-line parameters
Supports Remote: Yes
Contributors: Praetorian
Version: 1.1
