The Emotet botnet began sending holiday themed emails today. While this isn’t necessarily new to them, it does go to show that they are constantly experimenting with relevant themes along with their reply-chain style emails. Below are a few examples of emails that we saw cross our wires today:
Emotet has been going strong recently and has been seen utilizing templates that are based on package delivery services to catch those of us waiting on gifts by surprise. We have also observed emails with a medical theme that attempt to get the curious to click through. And inline with the end of the year, they have been leveraging the open enrollment period to push emails with an urgent message to review the attached document to secure your benefits.
While knowing this is great, Emotet never sticks with just one theme. On any given day, we see a vast number of emails that span from generic invoice style emails, to ones using reply-chain tactics that contain highly personal information related to the targets. It’s no wonder that this botnet is so effective in luring people to click through warnings at an alarming rate. With a high degree of variability in their emails, they are able to bypass many signature based tools and end up in users inboxes. Today alone we have already seen:
Over 38,000 unique subjects
100’s of unique payload urls
Over 200 unique attachment hashes
Over 5600 unique senders
Emotet remains one of the most prolific and dangerous botnets around and actively targets any email accounts it can get its hands on (e.g., personal, corporate, or government) with impunity.
Attachment Hashes Seen With This Holiday Campaign:
ff672d7400c3b3240772d04cd8a2c5c9 dadf58e8ca8c70aabf43b457afbeee94 6a595de77a595a2c9ced5b893f561284 b4527e627628becf7a148274681e84c0 f560511718965ac456ceb15d8f94d6b8 243df211fa93d0add2069066d4426f91 d6d239b9630244cd33f5583d409e9346 e39dd7b5d0b38a852c45e72c3dc737a0 c2ec288fe393ad390c8c7130248ea590 393251f1e3486d39a58721f5079a7480 8cafc5df600a53a477160a3c0901b493 65395f1ae78d6742d4017ad8818d4fc1 6a4bfa9fa3842bfeedb7fa2f5741ead8 b29681eeb3d304e99fd28b0baa39f498