{"id":5942,"date":"2021-01-26T16:57:01","date_gmt":"2021-01-27T00:57:01","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=5942"},"modified":"2024-04-26T13:20:57","modified_gmt":"2024-04-26T20:20:57","slug":"italian-emotet-campaign","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/italian-emotet-campaign\/","title":{"rendered":"Italian Emotet Campaign"},"content":{"rendered":"

Author: Nathan Toporek<\/h3>\n

TLP: WHITE<\/h3>\n

 <\/p>\n

Overview<\/h3>\n

On 22 January, Infoblox observed a large malspam campaign targeting Italian speakers and delivering Emotet malware. This campaign delivered emails containing malicious, password-protected ZIP archives with a Microsoft Word document that infects victims when opened.<\/p>\n

Infoblox has written several reports on malspam campaigns targeting Italian-speaking users with various malware.1, 2, 3<\/sup> We have also reported on previous Emotet campaigns that have used English-language political and holiday-themed email lures.4, 5, 6<\/sup><\/p>\n

Customer Impact<\/h3>\n

Emotet is a notorious banking trojan and infostealer that was first observed in 2014.7<\/sup>Emotet can steal banking data and passwords from a victim\u2019s computer, as well as download and install additional malware such as Trickbot or Qakbot.8<\/sup><\/p>\n

Once it downloads additional malware, it can spread laterally across a network by sending malicious emails to contacts of the infected victim, carrying out brute force attacks, and using Trickbot to launch exploits such as EternalBlue.9<\/sup><\/p>\n

Campaign Analysis<\/h3>\n

In this campaign, threat actors sent emails written in Italian, with message bodies requesting the victim open the file attachment. The threat actors used hundreds of unique subject lines and message bodies; however, generally speaking, they all either referred to prior discussions or urged the victim to open the file.<\/p>\n

Attack Chain<\/h3>\n

In the emails, threat actors attached a password-protected ZIP archive containing a malicious Word document and specified the password in the message body. When the victim decrypts the archive and opens the Word document, they will be prompted to enable macros. When the victim complies, the Word document contacts various URLs to download and infect them with Emotet malware.<\/p>\n

Vulnerabilities & Mitigation<\/h3>\n

This campaign relies on social engineering tactics to lure victims into downloading malicious attachments. As such, Infoblox recommends taking the following precautions to reduce the likelihood of such an attack succeeding: <\/p>\n