Rewterz Threat Alert – Trickbot Launches Personalized Spear Phishing Attacks
November 8, 2019Rewterz Threat Alert – DarkUniverse APT Framework
November 11, 2019Rewterz Threat Alert – Trickbot Launches Personalized Spear Phishing Attacks
November 8, 2019Rewterz Threat Alert – DarkUniverse APT Framework
November 11, 2019Severity
High
Analysis Summary
Emotet is a Trojan that is primarily spread through spam emails (malspam). The infection may arrive either via malicious script, macro-enabled document files, or malicious link. Emotet emails may contain familiar branding designed to look like a legitimate email. Emotet may try to persuade users to click the malicious files by using tempting language about “Your Invoice,” “Payment Details,” or possibly an upcoming shipment from well-known parcel companies.
Emotet has gone through a few iterations. Early versions arrived as a malicious JavaScript file. Later versions evolved to use macro-enabled documents to retrieve the virus payload from command and control (C&C) servers run by the attackers.
Impact
Financial loss
Indicators of Compromise
SH256
- 19af5bfb8decc32253875836c39031a7e8258d167af7d0332527d0bcecb0c2b2
- 1a762540a795a8daa194322648a2d0072ed65da6e961989b284c31cb57f68405
- 226a36d5c22d1222e1a29d9b1eb8a072e39c5901c7b34654dc303ee6aa19f577
- 252dc0a071edf76775a0a954287fc0cc7ebb45e6f6849f210f747027d5cdeaf1
- 47699a9bb49acddb8c3ccc90dd7059d9677c2337878972d289fe8b656d44119d
- 56524c7f2264ebf2f309fc400eac6016df092c75c6871669d141fcab966fdb10
- 66f0b3b78d41b0164d680f850808ae9133b8f01746662292209aa32588e5db08
- 872e9f66d27895a16d84e9c2ab50708693dd85ae47ad01ccd62b884bfbb2ad56
- a35c5cd847e920a0655e99c9886aab94c91a190b3d0ef81d077e91840aa7c17b
- a3f8cb08735b481402bbe20ac0b2acfb827feac8f62d9d37db3aee0ae03c826f
- a9b18b8eb2f84bac3e831bcead88b525e623e0a3b7c71fc54130b99b3c12969f
- b6e62040ec8b2a92762f654d7f561c761235d6cb688e476c45e96b5355154759
- cb1418e28836dca5fb61a788ce324e9e4d1c3b1e4de6cdada721786f4ea8e12c
- e6d81855312d026966d95dd51dc09a23fa743d21bb2edb4f8943d767fff54a25
- eaa809f6ebdc3ddceba5b7d61bfe29db87f098a4c7bec05243c59df51406dfa1
- ffa68a8f6da85239d67cc3900d6ec7c573ae607cd9061389b260c2f5034dd4a0
URL
- http[:]//altruisme[.]id/wp-admin/vZKnZqjMqsPuwinXFnaBOzVfQe/
- http[:]//apple-doctor[.]co[.]kr/wp-includes/57ue8yxbj9cnltpw79ovgprc79mcgfwrg3g/
- http[:]//blog[.]nalanchenye[.]cn/sjnx/ev7j3w2wuzw9c06sfnsl1pkxomci0k8tx/
- http[:]//blog[.]yaobinjie[.]top/wp-admin/97e4bgd1ipa2xkuy2nmk5ebueof2rugff7/
- http[:]//garatuonline[.]es/wp-admin/ayr56gh65xnuncin8l0ddkngn0gkt2/
- http[:]//giftcatelogz[.]com/wp-admin/cb10wpgm89ysnysitilbbd084/
- http[:]//jftwebmarketing[.]com/mcc/yrjdo5ui3iuvfcu9e1svri/
- http[:]//korekortviborg[.]dk/wsxq66h/mnWlDLjshjGVzx/
- http[:]//mynet07[.]com/wp-admin/bFEYqYEGLBypImyyjc/
- http[:]//nirvana-memorial[.]co[.]th/cgi-bin/ih929uqqn27650xrm/
- http[:]//puskesmasmanguharjo[.]madiunkota[.]go[.]id/hfoiawj24jr/zUbarcSMvgXc/
- http[:]//quangcaogiaodich[.]com/wp-content/upgrade/jzkowiu4uobwywynyj7/
- http[:]//sabzoabi[.]ir/abiosabz[.]ir/mj4qdtd83jid8ibxg9awoe/
- http[:]//shreeharisales[.]org/wp-admin/oLJDQSyjhXrWuCkCUhpHETW/
- http[:]//test[.]oeag[.]at/lare/xzfjglc0ygmm5869qhjlbil/
- http[:]//www[.]awardglobal[.]cn/gsae9da/98ner0e6ynm8wp4jkyrnm4sixrufzjkddvg9/
- http[:]//www[.]cyberoceans[.]ng/cgi-bin/5aua6r6yif7oi2adx2uvh3bq459429hape6ju/
- http[:]//www[.]digitalsushi[.]it/wp-admin/MQlQnlzmtaX/
- http[:]//www[.]dolphininsight[.]it/wp-includes/wIAxwfTVtpEDixSmDMrVE/
- http[:]//www[.]dty5[.]com/aqs2q/i0vzxgxwb2qyiwopfw5x0xghz86b1/
- http[:]//xe-logistics[.]com/san/lba70p8gsncc1fi4wy3cwugxbjrk/
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.