Seasons greetings: Now install my malware…

The Emotet botnet began sending holiday themed emails today. While this isn’t necessarily new to them, it does go to show that they are constantly experimenting with relevant themes along with their reply-chain style emails. Below are a few examples of emails that we saw cross our wires today:

Holiday Schedule Theme

Christmas Party 1

Christmas Part 2

Emotet has been going strong recently and has been seen utilizing templates that are based on package delivery services to catch those of us waiting on gifts by surprise. We have also observed emails with a medical theme that attempt to get the curious to click through. And inline with the end of the year, they have been leveraging the open enrollment period to push emails with an urgent message to review the attached document to secure your benefits.

While knowing this is great, Emotet never sticks with just one theme. On any given day, we see a vast number of emails that span from generic invoice style emails, to ones using reply-chain tactics that contain highly personal information related to the targets. It’s no wonder that this botnet is so effective in luring people to click through warnings at an alarming rate. With a high degree of variability in their emails, they are able to bypass many signature based tools and end up in users inboxes. Today alone we have already seen:

Over 38,000 unique subjects

100’s of unique payload urls

Over 200 unique attachment hashes

Over 5600 unique senders

Emotet remains one of the most prolific and dangerous botnets around and actively targets any email accounts it can get its hands on (e.g., personal, corporate, or government) with impunity.

Attachment Hashes Seen With This Holiday Campaign:

ff672d7400c3b3240772d04cd8a2c5c9
dadf58e8ca8c70aabf43b457afbeee94
6a595de77a595a2c9ced5b893f561284
b4527e627628becf7a148274681e84c0
f560511718965ac456ceb15d8f94d6b8
243df211fa93d0add2069066d4426f91
d6d239b9630244cd33f5583d409e9346
e39dd7b5d0b38a852c45e72c3dc737a0
c2ec288fe393ad390c8c7130248ea590
393251f1e3486d39a58721f5079a7480
8cafc5df600a53a477160a3c0901b493
65395f1ae78d6742d4017ad8818d4fc1
6a4bfa9fa3842bfeedb7fa2f5741ead8
b29681eeb3d304e99fd28b0baa39f498

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.