Rewterz Threat Alert – SNOW Serves as Maze Loader in Active Campaigns
July 24, 2020Rewterz Threat Advisory – CVE-2020-3452 – Cisco Network Security Flaw Leaks Sensitive Data
July 24, 2020Rewterz Threat Alert – SNOW Serves as Maze Loader in Active Campaigns
July 24, 2020Rewterz Threat Advisory – CVE-2020-3452 – Cisco Network Security Flaw Leaks Sensitive Data
July 24, 2020Severity
High
Analysis Summary
Emotet is still active in the wild with its July 2020 campaign. The campaign uses a malicious Microsoft Word document, and gets creative with the appeal to enable content. Below is the attack flow.
VMRay Analyzer Report showing verdict and process graph of a sample from Emotet campaign July 2020.
The document uses a highly obfuscated macro that begins to be executed when opened. The macro starts a Powershell instance with encoded commands as a program argument. These commands then try to download Emotet from five hardcoded hosts and save it with a fixed name specified in the command itself (later moved to %AppData%\msvcr100\).
Impact
- Credential Theft
- Information Theft
- Financial Theft
Indicators of Compromise
Domain Name
- mapas[.]hoonicorns[.]pt
- www[.]20190607[.]com
- connect-plus[.]co[.]uk
- lovely-lollies[.]com
MD5
- d40863c1d11d96d51e09252558e09946
SHA-256
- cc4e6e42f73500c72d0d0820b4a3c131e2f8fce4d7d730eb8f9fc1b5cc3e882e
SHA1
- f4a52b0eccaaebfeb65ee380be4c10c114d0fcfb
Source IP
- 212[.]51[.]142[.]238
- 198[.]144[.]158[.]120
- 109[.]117[.]53[.]230
URL
- http[:]//mapas[.]hoonicorns[.]pt/comp3/ly8cmti/
- https[:]//lovely-lollies[.]com/wp-admin/fgvid/
- https[:]//connect-plus[.]co[.]uk/aspnet_client/3yey3rr/
- https[:]//www[.]angage[.]com/wp-content/mtincvc/
- http[:]//www[.]20190607[.]com/wp-admin/ixyjozs/
Remediation
- Block the threat indicators at respective controls.
- Do not download email attachments coming from untrusted email addresses.
- Do not enable macros for untrusted files.