Rewterz Threat Alert – The FONIX Ransomware-as-a-Service
October 8, 2020Rewterz Threat Advisory – QNAP Releases Security Updates for QNAP Helpdesk
October 9, 2020Rewterz Threat Alert – The FONIX Ransomware-as-a-Service
October 8, 2020Rewterz Threat Advisory – QNAP Releases Security Updates for QNAP Helpdesk
October 9, 2020Severity
Medium
Analysis Summary
Emotet uses a variety of lure themes, some of which occasionally leverage current events or news items, like COVID-19. While TA542, the actor behind Emotet, has sent messages to local, state, and other government recipients, historically they have not directly leveraged political themes in their messaging. This month, thousands of Emotet email messages have been detected with the subject “Team Blue Take Action” being sent to hundreds of organizations in the US. The message body is taken directly from a page on the Democratic National Committee’s website, with the addition of a line requesting that the recipient open the attached document. Attached is a malicious Word document, “Team Blue Take Action.” The Word doc contains macros which, if enabled by the intended recipient, will download and install Emotet. The current second stage payload we’ve observed following Emotet is Qbot “partner01” and The Trick “morXXX” (e.g., “mor125”). Just like this campaign, Emotet and Qbot have been bundled together in infection campaigns earlier as well. Recently, a wave of sophisticated malware infecting public facing websites in Pakistan was also detected, in which both Emotet and Qbot infections were observed.
Impact
- Credential Theft
- Information Theft
- Financial Loss
Indicators of Compromise
Email Subject
- Team Blue Take Action
- Valanters 2020
- Detailed information
- List of works
- Volunteer
- Information
Filename
- Team Blue Take Action[.]doc
- List of works[.]doc
- Valanters 2020[.]doc
- Detailed information[.]doc
- Volunteer[.]doc
MD5
- 78529a9e067203f11276d6815f7cc865
SHA-256
- 21cda873bff60530ae094d7906219b5c0cc5d98e808f8608962886683fc37504
SHA1
- 3174d9d8875bf8dc25a3d27417dfe73103ff667e
Remediation
- Block the threat indicators at their respective controls.
- Do not download untrusted files from any source.
- Search for IoCs in the environment.