• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Industrial Espionage Using APT Hackers-for-Hire
August 28, 2020
Rewterz Threat Alert – New Anubis Malware Being Distributed in the Wild
August 28, 2020

Rewterz Threat Alert – Emotet Epoch 3 botnet Deploys Trickbot and Qakbot

August 28, 2020

Severity

High

Analysis Summary

Emotet has been used as a loader for other malware for a while. The infection vector remains to be malicious emails that distribute the macro-embedded malicious attachments. In this campaign, Emotet Epoch 3 botnet is seen downloading the Trickbot and Qakbot as a second payload. The first malicious attachment is a file named ‘invoice.doc’, which means this malspam follows the common invoice themed lure. 

Image
Image

Impact

  • Security Bypass
  • Code Execution
  • Financial Theft
  • Credentials theft 
  • Exposure of sensitive data 
  • Account compromise 

Indicators of Compromise

Domain Name

  • king61tours[.]com
  • grzegorzkucharski[.]com
  • karaz-sd[.]com
  • Filename
  • invoice[.]doc

MD5

  • 80f08f9a481b39e6f6d33efdec834855
  • 8e514dc1be16b12953315b5b6889bc00
  • ca8f77c07e02b6065f745d0021396bf1
  • 08ee2019e928a4a090edb0e98d073272

SHA-256

  • 537cae9dc56e79decd19c95f3558a5f204bb70fe6fa16ac7ef840991803508ac
  • ab738270198457f6e7d98c31337280933b09dd563ea6b9bfb73716903a0a7f23
  • 482f758d1a5ee81bf89cf7b582d80117520427064ce505246cca7733b4bbde67
  • 9206615c27a64e4617f1e3ec11b5584e0510df8b5744581f9e9c5d0136b1e43f

SHA1

  • ca01e30acb99809ec08e9f02737e25084215b964
  • 921a5af03f919c2ddf9d85e46a0307d75f394d9b
  • 4c59d3ee93aaaaa400adedde0798182dee855ee2
  • 58963deab813763b36552447878c2fb5f9b96ce0

Source IP

  • 194[.]5[.]249[.]157
  • 91[.]200[.]103[.]236
  • 195[.]123[.]240[.]252
  • 107[.]174[.]192[.]219
  • 185[.]176[.]40[.]216
  • 185[.]81[.]158[.]15
  • 82[.]239[.]200[.]118
  • 96[.]9[.]73[.]73
  • 180[.]211[.]170[.]214
  • 203[.]176[.]135[.]102
  • 195[.]123[.]241[.]187
  • 37[.]247[.]111[.]239

URL

  • http[:]//grzegorzkucharski[.]com/cli/92278618/fs8rc5s-001552/
  • http[:]//203[.]176[.]135[.]102[:]8082
  • http[:]//104[.]236[.]52[.]89[:]8080
  • http[:]//king61tours[.]com/pdf/lwuqKsRgijhXw/
  • http[:]//185[.]81[.]158[.]15[:]8080

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download invoice themed attachments in untrusted emails. 
  • Do not enable macros for untrusted files. 
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.