Author Topic: Beware of Thanksgiving eCard Emails Distributing Malware  (Read 114 times)

Online javajolt

  • Administrator
  • Hero Member
  • *****
  • Posts: 35125
  • Gender: Male
  • I Do Windows
    • windows10newsinfo.com
Beware of Thanksgiving eCard Emails Distributing Malware
« on: November 28, 2019, 08:45:52 PM »


With Thanksgiving being celebrated in the United States, malware distributors are sending out holiday-themed emails to distribute the Emotet Trojan and other malware.

New email campaigns are underway that pretend to be Thanksgiving Day greeting cards and office closing notices with last-minute invoices. Users who fall for the emails and open the attached word documents will be left with a Windows computer infected with a password-stealing Trojan and possibly other malware.

One of the malicious email campaigns discovered by BleepingComputer pretends to be a "Thanksgiving Day Greeting Card" with a Word document attachment named "Thanksgiving-eCard.doc".


Thanksgiving Day Greeting Card malspam

As you can see by the text below, the email pretends to be from someone sending a Thanksgiving eCard and wishes for a nice holiday.

Quote

Good day,

Wishing you a picture-perfect table with a positive mood on this holiday=season. Happy Thanksgiving!

Attachment: Thanksgiving Day Greeting eCard.

“Gratitude makes sense of our past, brings peace for today and c=eates a vision for tomorrow.” - Melody Beattie

Another malicious email campaign discovered by the Emotet tracking group Cryptolaemus pretends to be a reply to a previous email and contains a malicious Word document.


Caption

This email template also tells the user that they are closed for the Thanksgiving holiday and upcoming future holidays. This may be done to create a sense of urgency and to have the recipient open the email knowing that they cannot confirm its authenticity due to the sender's office being closed for the holiday.

Quote

Please see the attached file.

Thanksgiving Holiday: Closed November 28th & 29th; Christmas Holiday: Closed December 23rd - December 27th; New Years: Closed December 31 - January 1st.

Have a wonderful Thanksgiving!

With many people in the U.S. sleepy from eating Turkey, the hopes are that holiday-themed lures coupled with the holiday business closures will make users slip and open the attachments.

Malicious Word docs lead to Trojans

For either of these malspam campaigns, if a user opens the malicious Word document they will be presented with a screen stating that they need to "Enable Content" or "Enable Editing" in order to properly view it.


Malicious Word Document

These Word documents contain obfuscated macros that will either download malware from a remote host or extract it from an embedded payload.


Obfuscated Word macros

If the user clicks the "Enable Content" button, the macros will execute and install the malware on the victim's computer.

For the Emotet malspam, the malware will be extracted to a folder under the %LocalAppData% folder and then executed.


Emotet installed in Windows

Once the malware launches, it will begin to perform a variety of tasks such as downloading further malware, stealing stored passwords, potentially offering remote access to the attackers, and in Emotet's case, eventually the installation of ransomware.

As always, never open attachments from strangers and if you receive an unusual attachment, always reach out by text or phone and ask the user if they sent it.

Finally, if a Word document asks you to Enable Content or Enable Editing, this should always be a source of concern and users should not do so unless it is confirmed the email is legitimate.

source