Researchers have spotted an Emotet trojan email campaign leveraging environmental activist Greta Thunberg’s popularity to infect computers in in Europe and Asia. The trojan campaign uses climate activist’s name to target domains with .com and .edu (as Greta is really popular among students) extensions. Attackers are also geotargeting their attack making Europe and Asian countries top the charts followed by Australia and the U.S.
According to researchers at Proofpoint and ExecuteMalware, the emails that are making rounds looks like just another invite from Greta for a climate change summit or demonstration with email subjects carrying enticing text like “Demonstration 2019” or “I invite you”. The emails also encourage readers to forward and spread the message to their family and friends.
So, what’s malicious in such a mail? The email body as such does not have any malicious code, but it is the MS-Word attachment in this email that is malicious in nature. Researchers say that the malicious Word document attached is often named “Support Greta Thunberg.doc”. Once the recipient opens the attachment, a prompt to “Enable editing” and then “Enable content” to view the demonstration information is displayed to the recipient. On clicking “Enable Content” a PowerShell command executes Emotet trojan installation. Emotet, a Banking trojan has been around since 2014 but has recently become more common. On successful installation, Emotet runs un-noticed in the background downloading more pieces of malware onto the computer and spreading it to other computers on the network.
A few days ago, Germany’s federal cybersecurity agency BSI also warned of an active malware spam campaign that aims at distributing the Emotet banking Trojan. The messages from the campaign appears to be sent by German Federal Authority, but they are not. A security alert published by the BSI stated, “Currently, increasing number of spams – mails have been sent to several federal agencies with malicious attachments or links in their names. The Federal Office for Information Security (BSI) calls for special caution and warns against opening these emails and links. Several confirmed Emotet infections in federal administration authorities have been reported to the BSI in the past few days.”
For staying alert and aware from Emotet infestation BSI recommended, to check the sender name carefully before opening any attachment. If in doubt, clarify over the telephone with the alleged sender whether an email was actually sent by them. In addition, the execution of macros when opening Office documents should be avoided and at best prevented centrally.