The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Emotet's Christmas-themed phishing email ramps up - get hashes and file details in PolySwarm

Dec 18, 2019 11:04:51 AM / by PolySwarm Team

jeshoots-com-nREv5-El0M4-unsplash

Cybercriminals behind Emotet, one of the most prolific botnets in recent history, have ramped up a new Christmas-themed phishing attack. It lures victims to download malicious attachments related to "menus" for an upcoming Christmas party.

***

See the hashes, what engines are detecting and other details in PolySwarm: 

Party Menu.doc -> https://polyswarm.network/scan/results/f58a05d8-0491-46de-bb77-7768c2553f93

Christmas Party.doc -> https://polyswarm.network/scan/results/c4b7066a-5da2-413d-940e-4014f64478a4 

***

Using subject lines like “Christmas” or “Christmas Party” clearly their tapping into the timeliness of the holiday to get their victims to click. 

One of the phishing emails reads as follows:

“I have attached the menu for the Christmas Party next week. If you would like bring something, look at the list and let me know. Don't forget to get your donations in for the money tree. Also, wear your tackiest/ugliest Christmas sweater to the party.”

Once installed victims could be subject to ransomware downloads, spam and other phishing emails. 

Emotet is well-known as a banking Trojan but appears to have new functionality as a malware loader, using victims as a malware distribution network.

***

Related dropper samples from this Christmas email phishing campaign, currently active:

Scan permalink: https://polyswarm.network/scan/results/b7adbb73-4307-4da9-8ea7-30bf7b4f87b5

Scan permalink: https://polyswarm.network/scan/results/fffaad2a-1933-441d-8496-0a80e8669c72

Scan permalink: https://polyswarm.network/scan/results/2776c215-8e26-48b4-b255-7ef7a6c85e2d

Scan permalink: https://polyswarm.network/scan/results/0a001cfe-69cb-4f5c-894a-bf7572577bd2

Scan permalink: https://polyswarm.network/scan/results/ca1f632e-9686-42e5-a9fc-b114f06e49bf

Scan permalink: https://polyswarm.network/scan/results/4e39c88a-41e3-437f-90a7-aa02bbba0752

Scan permalink: https://polyswarm.network/scan/results/f2461570-d6c1-4de0-8dfc-8881d15cb27a

Scan permalink: https://polyswarm.network/scan/results/00d2551c-4012-4a2b-abb1-01d0718e7e7b

Scan permalink: https://polyswarm.network/scan/results/1afdc0bf-544c-472e-b76a-3145f358a8ff

Scan permalink: https://polyswarm.network/scan/results/2ac10bf8-38d4-434d-80f3-cfe4a18073af

Scan permalink: https://polyswarm.network/scan/results/0f9e1eb9-a774-4a50-b66d-ec99a7ce4ac0

Scan permalink: https://polyswarm.network/scan/results/ca444c1f-9c7a-4bea-b743-ccc1bd8640a0

Scan permalink: https://polyswarm.network/scan/results/761af363-3da1-48a9-931c-ff491ed6b77f

Scan permalink: https://polyswarm.network/scan/results/74b23917-3549-4096-9e18-0ea399091f32

***

About PolySwarm: 

PolySwarm is a threat intelligence platform that focuses on new and emerging malware. It uses an open source, crowdsourced model where specialized individual experts and niche antivirus companies compete to detect 0-day threats in real-time to protect enterprises. Accuracy and early detection are rewarded, and the coverage of their anti-malware engines is combined into a single access point. Try it out at polyswarm.network. 

 

 

Topics: Research

PolySwarm Team

Written by PolySwarm Team