Medium
Emotet uses a variety of lure themes, some of which occasionally leverage current events or news items, like COVID-19. While TA542, the actor behind Emotet, has sent messages to local, state, and other government recipients, historically they have not directly leveraged political themes in their messaging. This month, thousands of Emotet email messages have been detected with the subject “Team Blue Take Action” being sent to hundreds of organizations in the US. The message body is taken directly from a page on the Democratic National Committee’s website, with the addition of a line requesting that the recipient open the attached document. Attached is a malicious Word document, “Team Blue Take Action.” The Word doc contains macros which, if enabled by the intended recipient, will download and install Emotet. The current second stage payload we’ve observed following Emotet is Qbot “partner01” and The Trick “morXXX” (e.g., “mor125”). Just like this campaign, Emotet and Qbot have been bundled together in infection campaigns earlier as well. Recently, a wave of sophisticated malware infecting public facing websites in Pakistan was also detected, in which both Emotet and Qbot infections were observed.