EMOTET Arrives via Spam, Greeting You a Merry Christmas

 Analysis by: Benedict Cyril Villaroman

Another wave of spam mail carrying EMOTET malware is spreading cheer. Compared to an earlier campaign where EMOTET arrived via banking-related emails, this spam wave pretends to be greeting you. The messages contain different Christmas greetings with a .doc file attached.

In the attached document, the recipient is prompted to turn on macros by clicking Enable content. If the user enables it, the malicious code downloads and runs an EMOTET variant in the recipient's system:

The macro script can be easily found, but it is obfuscated. The .doc file is already detected as Trojan.W97M.POWLOAD.THABAHAH:

One of the samples analyzed dropped a file named shimsintel.exe, which connects to a C&C server:

Based on Trend Micro telemetry, these spam emails are mostly sent to UK. Each and every user is advised to automatically disable macros in their security settings. Trend Micro users are already protected from these threats.

 SPAM BLOCKING DATE / TIME: December 18, 2018 GMT-8
  • ENGINE:8.2.1000
  • PATTERN:4298