Greta Thunberg: Emotet’s Person of the Year

greta thunberg malware

The Swedish climate-change activist is the lure in a massive global malware campaign.

There’s no doubt that teenage climate-change activist and Time Person of the Year Greta Thunberg inspires people around the world – and it turns out, this includes cybercriminals.

More specifically, she’s inspiring as an opportunity: According to the Proofpoint Threat Insight team, a global malicious email campaign bent on delivering the ever-changing Emotet malware is using the Swedish phenom as a lure.

The copy within the email includes a few different themes, including Thunberg’s Time nomination, the Christmas holidays, and general environmental awareness and activism.

Researchers noted that the emails contain an attached Microsoft Word document named “Support Greta Thunberg.doc”. When the recipient opens it, the Emotet malware is installed.

English-language Thunberg spam. Click to enlarge.

“Proofpoint has observed volumes in the hundreds of thousands of messages per campaign, reaching up to nearly half a million at times,” Sherrod DeGrippo, senior director of Threat Research and Detection at Proofpoint, told Threatpost. “We are seeing at least one campaign per day and sometimes more. This high volume may be due to unused capacity, or capacity that is not being rented out on the infrastructure by threat actors due to the holiday season.”

Proofpoint researchers have seen emails sent in English aimed at email addresses in the .com and .edu domains, as well as in country-specific domains in Australia, Austria, Canada, European Union, Germany, Italy, Japan, Singapore, Switzerland, United Arab Emirates and the U.K.

“Emotet attacks have been known for being global in scope, and this attack is no exception,” researchers said in Thursday blog post on the campaign. “These attacks are not only global in their targeting but also in their use of native-language lures. Our researchers have seen malicious emails with subject lines in Spanish, Italian, French and Polish.”

It’s also a testament to the impact that Thunberg has made on a worldwide scale. Cybercriminals often latch on to the current zeitgeist, including people’s holiday-season zeal for charitable giving, hot movie premieres and top celebrities that are being talked about at the moment.

“Attackers choose their lures carefully: in many ways their lures are a reliable barometer of public interest and awareness,” Proofpoint researchers noted.

Emotet started life as a banking trojan in 2014; since then it has been evolved to become a full-service threat-delivery mechanism. After a period of hibernation over the summer, it has surged in the third quarter; Proofpoint found that Emotet accounted for nearly 12 percent of all malicious email in the period.

In Q3, Emotet has been seen installing a collection of malware on victim machines, including information stealers, email harvesters, self-propagation mechanisms and ransomware. SANS ISC’s Johannes Ullrich said this week that Trickbot seems to have been the most recent sample of choice; but he has also seen an unusual spambot payload mixed in.

“On Monday 2019-12-16, I tested some Emotet samples,” he noted. “I normally get Trickbot as the follow-up malware, which I’ve already documented from Monday.  But every once in a while, I’ll see spambot traffic instead of (or in addition to) Trickbot. When I tested another Emotet sample later that day, I saw spambot traffic.”

Emotet has become a bit of a chameleon in the malware world thanks to its penchant for constantly adding new functionality. For instance, it recently added the trick of responding to existing email conversations, therefore creating more authentic-looking lure emails.

Meanwhile, in addition to the Thunberg campaign, Germany’s Federal Office for Information Security (BSI) announced this week that Emotet-laden spam emails with malicious attachments or links are currently being sent on behalf of several federal agencies.

“Several confirmed Emotet infections in federal administration authorities have been reported to the BSI in the past few days,” BSI said in an online notice [translated via Google Translate]. “There are also other suspected cases. The BSI is in close contact with the authorities concerned. These are primary infections that lead to further spam emails being sent on behalf of those affected.”

Suggested articles