Windows 10 News and info | Forum
August 11, 2020, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Beware of Thanksgiving eCard Emails Distributing Malware  (Read 74 times)
Hero Member
Offline Offline

Gender: Male
United States United States

Posts: 31662

I Do Windows

WWW Email
« on: November 28, 2019, 08:45:52 PM »

With Thanksgiving being celebrated in the United States, malware distributors are sending out holiday-themed emails to distribute the Emotet Trojan and other malware.

New email campaigns are underway that pretend to be Thanksgiving Day greeting cards and office closing notices with last-minute invoices. Users who fall for the emails and open the attached word documents will be left with a Windows computer infected with a password-stealing Trojan and possibly other malware.

One of the malicious email campaigns discovered by BleepingComputer pretends to be a "Thanksgiving Day Greeting Card" with a Word document attachment named "Thanksgiving-eCard.doc".

Thanksgiving Day Greeting Card malspam

As you can see by the text below, the email pretends to be from someone sending a Thanksgiving eCard and wishes for a nice holiday.


Good day,

Wishing you a picture-perfect table with a positive mood on this holiday=season. Happy Thanksgiving!

Attachment: Thanksgiving Day Greeting eCard.

“Gratitude makes sense of our past, brings peace for today and c=eates a vision for tomorrow.” - Melody Beattie

Another malicious email campaign discovered by the Emotet tracking group Cryptolaemus pretends to be a reply to a previous email and contains a malicious Word document.


This email template also tells the user that they are closed for the Thanksgiving holiday and upcoming future holidays. This may be done to create a sense of urgency and to have the recipient open the email knowing that they cannot confirm its authenticity due to the sender's office being closed for the holiday.


Please see the attached file.

Thanksgiving Holiday: Closed November 28th & 29th; Christmas Holiday: Closed December 23rd - December 27th; New Years: Closed December 31 - January 1st.

Have a wonderful Thanksgiving!

With many people in the U.S. sleepy from eating Turkey, the hopes are that holiday-themed lures coupled with the holiday business closures will make users slip and open the attachments.

Malicious Word docs lead to Trojans

For either of these malspam campaigns, if a user opens the malicious Word document they will be presented with a screen stating that they need to "Enable Content" or "Enable Editing" in order to properly view it.

Malicious Word Document

These Word documents contain obfuscated macros that will either download malware from a remote host or extract it from an embedded payload.

Obfuscated Word macros

If the user clicks the "Enable Content" button, the macros will execute and install the malware on the victim's computer.

For the Emotet malspam, the malware will be extracted to a folder under the %LocalAppData% folder and then executed.

Emotet installed in Windows

Once the malware launches, it will begin to perform a variety of tasks such as downloading further malware, stealing stored passwords, potentially offering remote access to the attackers, and in Emotet's case, eventually the installation of ransomware.

As always, never open attachments from strangers and if you receive an unusual attachment, always reach out by text or phone and ask the user if they sent it.

Finally, if a Word document asks you to Enable Content or Enable Editing, this should always be a source of concern and users should not do so unless it is confirmed the email is legitimate.


Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page December 05, 2019, 09:15:52 AM