Spammers behind one of the most prolific botnets of recent years have begun bombarding users with Christmas-themed phishing lures, according to researchers.
Phishing emails sent by the Emotet botnet were spotted by Cofense Labs. With typical subject lines such as “Christmas” or “Christmas Party” they’re trying to gain legitimacy by tapping the current seasonal trend for internal emails of this sort.
One particular phishing email posted to Twitter by the vendor read:
“I have attached the menu for the Christmas Party next week. If you would like bring something, look at the list and let me know. Don't forget to get your donations in for the money tree. Also, wear your tackiest/ugliest Christmas sweater to the party.”
Malicious Word documents are typically attached to these emails, with names like “Party menu” and “Annual Holiday Lunch.” They require the user to “enable editing” to view, but clicking on this button will execute embedded macros to install the Emotet Trojan.
Once installed, this could provide various groups with he means to attempt ransomware downloads, more spam and phishing emails.
Like TrickBot, Emotet was originally a banking Trojan, but then was re-written to function as a malware loader. Its operators sell access for clients to use it as a malware distribution network.
According to Malwarebytes, Emotet malware was detected and removed over 1.5 million times between January and September 2018. In July 2018, the threat became so serious that the US-CERT was forced to release an alert about Emotet and its capabilities.
The Christmas phishing lures have been seen before: back in 2018 Trend Micro warned of a similar campaign targeting UK users. It urged them at the time to automatically disable macros in their security settings.