Thousands of Emotet emails contain a message body pulled directly from the Democratic National Committee website, researchers report.
A new Emotet attack campaign impersonates the Democratic National Committee (DNC) to convince victims to open a malicious document containing macros to download and install the malware.
Emotet reappeared on the threat landscape this summer following a brief hiatus in early 2020. Since its return, security researchers tracking the threat report attackers have adopted new tactics, including defense evasion techniques that help them bypass endpoint detection tools.
Proofpoint researchers say TA542, the attacker behind Emotet, has historically sent messages to state and local government recipients but has not used political lures. This changed on Oct. 1, when they saw thousands of Emotet emails with the subject line "Team Blue Take Action" sent to hundreds of organizations based in the US. The message body was pulled directly from a page on the DNC website with the addition of a line asking the target to open an attached file.
This file is a Word document, also titled "Team Blue Take Action," which contains macros that, if enabled, will download and install Emotet, the research team explains in a blog post. The current second-stage payload is Qbot "partner01" and The Trick "morXXX," with the X standing for a number -- for example, "mor125."
Researchers noticed additional related subjects including Valanters 2020, Detailed information, List of works, Volunteer, and Information. Additional related file names include Team Blue Take Action.doc, List of works.doc, Valanters 2020.doc, Detailed information.doc, and Volunteer.doc.
It's unlikely Emotet's political messaging is driven by a particular political ideology, researchers report. The attackers' adoption of political lures arrived shortly after the first 2020 presidential debate and weeks ahead of the presidential election. Researchers say it's more likely TA542 is leveraging a popular topic to reach as many victims as possible.
Read the full blog post for more details.
About the Author(s)
You May Also Like
The fuel in the new AI race: Data
April 23, 2024Securing Code in the Age of AI
April 24, 2024Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024