Rewterz Threat Alert – Emotet Phishing Uses Political Lures

Severity

Medium

Analysis Summary

Emotet uses a variety of lure themes, some of which occasionally leverage current events or news items, like COVID-19. While TA542, the actor behind Emotet, has sent messages to local, state, and other government recipients, historically they have not directly leveraged political themes in their messaging. This month, thousands of Emotet email messages have been detected with the subject “Team Blue Take Action” being sent to hundreds of organizations in the US. The message body is taken directly from a page on the Democratic National Committee’s website, with the addition of a line requesting that the recipient open the attached document. Attached is a malicious Word document, “Team Blue Take Action.” The Word doc contains macros which, if enabled by the intended recipient, will download and install Emotet. The current second stage payload we’ve observed following Emotet is Qbot “partner01” and The Trick “morXXX” (e.g., “mor125”). Just like this campaign, Emotet and Qbot have been bundled together in infection campaigns earlier as well. Recently, a wave of sophisticated malware infecting public facing websites in Pakistan was also detected, in which both Emotet and Qbot infections were observed. 

Impact

• Credential Theft
• Information Theft
• Financial Loss

Indicators of Compromise

Email Subject

• Team Blue Take Action
• Valanters 2020
• Detailed information
• List of works
• Volunteer
• Information

Filename

• Team Blue Take Action[.]doc
• List of works[.]doc
• Valanters 2020[.]doc
• Detailed information[.]doc
• Volunteer[.]doc

MD5

• 78529a9e067203f11276d6815f7cc865

SHA-256

• 21cda873bff60530ae094d7906219b5c0cc5d98e808f8608962886683fc37504

SHA1

• 3174d9d8875bf8dc25a3d27417dfe73103ff667e

Remediation

• Block the threat indicators at their respective controls.
• Do not download untrusted files from any source.
• Search for IoCs in the environment.