Rewterz Threat Advisory – CVE 2021- 44228 RCE 0-day Exploit in log4j
December 10, 2021Rewterz Threat Advisory – Log4J Vulnerability Exploited in the wild
December 12, 2021Rewterz Threat Advisory – CVE 2021- 44228 RCE 0-day Exploit in log4j
December 10, 2021Rewterz Threat Advisory – Log4J Vulnerability Exploited in the wild
December 12, 2021Severity
High
Analysis Summary
Emotet researchers are warning that emotet now installs Cobalt Strike directly onto infected systems.
“WARNING We have confirmed that #Emotet is dropping CS Beacons on E5 Bots and we have observed the following as of 10:00EST/15:00UTC. The following beacon was dropped: https://t.co/imJDQTGqxV Note the traffic to lartmana[.]com. This is an active CS Teams Server. 1/x”
Emotet is a banking trojan turned into malware infection that spreads through spam emails containing malicious Word or Excel files. Previously, emotet used to install TrickBot or Qbot trojans on infected systems. From thereon these trojans would deploy Cobalt Strike on compromised systems. However, now emotet deploys cobalt strike payloads directly onto infected systems.
Cobalt Strike is a legitimate Pen test (penetration testing) toolkit that deploys “beacons” on infected devices to perform malicious behaviors. It is commonly used in ransomware attacks.
“Emotet itself gathers a limited amount of information about an infected machine, but Cobalt Strike can be used to evaluate a broader network or domain, potentially looking for suitable victims for further infection such as ransomware.”
The main concern is that before emotet used to deploy TrickBot or Qbot on compromised devices and that still gave the victims a window to detect these payloads before Cobalt Strike was deployed. Now, however, these initial payloads are skipped by the malware and Cobalt Strike gives threat actors immediate access to the victim’s network. They can then spread laterally, steal information, and deploy their ransomware.
Impact
- Credential Theft
- Information Theft
- Financial Loss
Indicators of Compromise
Domain Name
- lartmana[.]com
- guvonuk[.]com
MD5
- 63ab5d17585a8734d643324e2a8fa90e
- f3e31cd5f0972e4dbc789807ad2d129b
SHA-256
- 5b5fa30bf12f13f881708222824517d662f410b212a0f7f7ce5c611fd809f809
- 3f13e9bc8011c8bc8f3d7cb9a616ed6da1b6f16d9fcaa65d29d81caf2d5574d3
SHA-1
- a02e0dbcfb20c3f5f2e8965f6b4dbe31928bee7b
- 2e5f9a632bf889f6e4d25c264a842478e3ba4cad
URL
- http[:]//lartmana[.]com[:]443/jquery-3[.]3[.]1[.]min[.]js
- http[:]//guvonuk[.]com[:]443/static-directory/bn[.]png
- http[:]//guvonuk[.]com[:]443/language[.]js
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.
- Always be suspicious about emails sent by unknown senders.
- Never click on links/attachments sent by unknown senders.