Threat Signal Report

Latest Emotet Campaign Leverages Likeness of Greta Thunberg

Description

The FortiGuard SE team is aware of a new malicious spam campaign using the likeness of climate activist Greta Thunberg to entice users into opening a malicious Word document. The contents of the email contain an email subject "Demonstration 2019" and within the body contains the following text:


MERRY CHRISTMAS

You can spend Christmas Eve looking for gifts for children. They will tell you Thank you only that day.

But the children will thank you all their lives if you come out for the biggest demonstration in protest against the inaction of the government in connection with the climate crisis.

Support Greta Thunberg - Time Person of the Year 2019

I invite you. Time and address are attached in the attached file.

FORWARD this letter to all colleagues, friends and relatives RIGHT NOW, until you forget!

Many thanks.


Once the victim opens the attached malicious Word document "Support Greta Thunberg.doc", contained within is a malicious macro that invokes PowerShell, which then ultimately downloads a payload from a remote location, which ultimately is Emotet. The sample was discovered by Twitter user @ExecuteMalware today.


What is Emotet?

Emotet was first discovered in 2014 and started out as a "simple" banking Trojan. Simple in quotes, because overtime, Emotet has evolved into a botnet as well and added modularity which has made it not only one of the most destructive, but prevalent and dangerous threats of recent memory. Emotet is deemed to be among the most costly and destructive malware affecting public and private sectors.


Back in November, the FortiGuard SE team released an Emotet blog and a playbook focusing on a specific Emotet attack campaign that FortiGuard SE team has recently observed.


What is the status of AV, IPS and Web Filtering coverage?

FortiGuard Labs has protections in place for this latest campaign and customers running the latest version of definitions are protected by the following AV signature(s):


Support Greta Thunberg.doc:

VBA/Agent.136E!tr.dldr

SHA256:[95375C8F62DF4EC1FEBC6AB8E98E9A33898D26491BF9AF5CA342C37272D25D2E]


Emotet Payload

W32/Emotet.ENKU!tr

SHA256: [8DF050DE064563D606ECE3F5F090621FE9755C765CA79799278862D9BCF37925]


Also the following URI(s) below are blocked by the FortiGuard Web Filtering client:

hxxp://www.textilesunrise[.]com/anjuv/lymjn-kpc564-0052/

hxxp://66.229[.]161.86


Are there any mitigations available?

Since it has been reported that this threat has been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization are made aware of various types of attacks delivered via social engineering. This can be accomplished through regularly occurring training sessions and impromptu tests using predetermined templates by internal security departments within an organization. Simple user awareness training on how to spot emails with malicious attachments or links could help prevent initial access into the network. If user awareness training fails and the user succumbs to opening the attachment or link, FortiClient running the latest up to date antivirus definitions will detect and block files and URI's associated with this latest campaign. FortiMail can also detect and mitigate this threat to prevent initial delivery.


What platforms are affected?

All Windows based platforms with Microsoft Office installed.


Will this run on Apple based platforms?

While the macro will potentially run, the downloaded malware will not, as it is a Windows PE file and platform specific.


Has there been any observed in the wild attacks?

Yes. There have been in the wild attacks have been observed. Spread is unknown at this time but as Emotet has a wide geographic distribution, we can safely state that spread is wide.



MITRE ATT&CK

Spear phishing Attachment

ID: T1193

Tactic: Initial Access

Platform: Windows, macOS, Linux

Data Sources: File monitoring, Packet capture, Network intrusion detection system, Detonation chamber, Email gateway, Mail server

CAPEC ID: CAPEC-163

Version: 1.0


User Execution

ID: T1204

Tactic: Execution

Platform: Linux, Windows, macOS

Permissions Required: User

Data Sources: Anti-virus, Process command-line parameters, Process monitoring

Contributors: Oleg Skulkin, Group-IB

Version: 1.1


PowerShell

ID: T1086

Tactic: Execution

Platform: Windows

Permissions Required: User, Administrator

Data Sources: PowerShell logs, Loaded DLLs, DLL monitoring, Windows Registry, File monitoring, Process monitoring, Process command-line parameters

Supports Remote: Yes

Contributors: Praetorian

Version: 1.1


Telemetry


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.