On August 14, 2020, details were released regarding a new spam campaign that uses COVID-19 themed lures to target users from US organizations, with the end goal of dropping the Emotet malware onto the victims’ devices. A security researcher who goes by the moniker “Fate112” identified the campaign on August 8, 2020, and stated that this new Emotet campaign uses a stolen email purporting to be from the “California Fire Mechanics.” The email contains a malicious attachment, titled “EG-8777 Medical report COVID-19.doc,” and has the subject line “CFMA May COVID-19 update.” Once the file is opened, the victims are asked to click the “Enable Content” button to view the document. Once the victims click the ‘Enable Content’ button, a PowerShell command is executed which downloads the Emotet malware executable, identified as “498.exe,” and saves it to the “%UserProfile%” folder.
Once the malware is executed, the victim’s machine will become part of the malware bot operation to send further spam emails. Additionally, the Emotet malware has other capabilities such as the ability to download and install additional payloads for other malware variants, like Qbot or TrickBot, which can be used to steal personal data and could potentially lead to ransomware deployment.
Nuspire recommends organizations use the following measures to help mitigate against the aforementioned campaign:
The following indicators of compromise were released with the researcher’s findings.