• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – The FONIX Ransomware-as-a-Service
October 8, 2020
Rewterz Threat Advisory – QNAP Releases Security Updates for QNAP Helpdesk
October 9, 2020

Rewterz Threat Alert – Emotet Phishing Uses Political Lures

October 8, 2020

Severity

Medium

Analysis Summary

Emotet uses a variety of lure themes, some of which occasionally leverage current events or news items, like COVID-19. While TA542, the actor behind Emotet, has sent messages to local, state, and other government recipients, historically they have not directly leveraged political themes in their messaging. This month, thousands of Emotet email messages have been detected with the subject “Team Blue Take Action” being sent to hundreds of organizations in the US. The message body is taken directly from a page on the Democratic National Committee’s website, with the addition of a line requesting that the recipient open the attached document. Attached is a malicious Word document, “Team Blue Take Action.” The Word doc contains macros which, if enabled by the intended recipient, will download and install Emotet. The current second stage payload we’ve observed following Emotet is Qbot “partner01” and The Trick “morXXX” (e.g., “mor125”). Just like this campaign, Emotet and Qbot have been bundled together in infection campaigns earlier as well. Recently, a wave of sophisticated malware infecting public facing websites in Pakistan was also detected, in which both Emotet and Qbot infections were observed. 

Figure 1 Emotet email lure containing malicious attachment

Impact

  • Credential Theft
  • Information Theft
  • Financial Loss

Indicators of Compromise

Email Subject

  • Team Blue Take Action
  • Valanters 2020
  • Detailed information
  • List of works
  • Volunteer
  • Information

Filename

  • Team Blue Take Action[.]doc
  • List of works[.]doc
  • Valanters 2020[.]doc
  • Detailed information[.]doc
  • Volunteer[.]doc

MD5

  • 78529a9e067203f11276d6815f7cc865

SHA-256

  • 21cda873bff60530ae094d7906219b5c0cc5d98e808f8608962886683fc37504

SHA1

  • 3174d9d8875bf8dc25a3d27417dfe73103ff667e

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download untrusted files from any source.
  • Search for IoCs in the environment.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.