Threat Management, Malware, Phishing

Rising sea and spam levels? Emotet campaign uses Greta Thunberg as lure

An Emotet banking trojan phishing campaign was spotted using the name of activist Greta Thunberg as a lure to target individuals concerned with climate change.

The attackers behind the campaign recently sent out fake invitations to a nonexistent "climate crisis" demonstration supposedly led by the young Swedish activist, who was named Time's 2019 Person of the Year.

The emails came with a Word document attachment titled "Support Greta Thunberg.doc." If a user were to open this document and enable its malicious macros, then a PowerShell command would download and execute Emotet, according to recent reports [1, 2] from Proofpoint and BleepingComputer, citing a tweet from ExecuteMalware. Once active, Emotet would run in the background while using victimized machines to distribute spam and download additional malware.

"You can spend Christmas Eve looking for gifts for children. They will tell you Thank You only that day. But the children will thank you all their lives if you come out for the biggest demonstration in protest against the inaction of the government in connection with the climate crisis," the phishing email read, encouraging the recipient to pass the letter on to their colleagues, friends and relatives.

The campaign reportedly targeted .com and .edu email addresses, as well as addresses featuring the top-level domains of Japan, Germany, Italy, the United Arab Emirates, Australia, the U.K., Switzerland, the European Union, the U.S., Austria, Canada and Singapore. Subject lines were observed in Spanish, Italian, French and Polish.

"It’s... interesting to note that we’ve seen significant targeting of .edu domains. In fact, we saw more .edu domains attacked than domains associated with any specific country. This makes sense given the strong support Thunberg has among students and young people," reported Sherrod DeGrippo, Proofpoint blog author and senior director of threat research and detection.

"This campaign serves as a reminder that attackers won’t hesitate to target people’s best intentions during this holiday season," DeGrippo added. "It also serves as a mark of how significant environmental awareness has become and how well-known Greta Thunberg is globally. Attackers choose their lures carefully: in many ways their lures are a reliable barometer of public interest and awareness."

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.