Rewterz Threat Alert – Increased Activity of Emotet

Severity

High

Analysis Summary

There has been a recent increase in Emotet spam activity, which Symantec researchers have analyzed. The spikes in activity were detected starting in September 2019 and continuing to rise through November 2019. Two types of distribution methods were found in use based on analysis of the spam emails. The first used a link within the body of the email that led to the download of a Word document. The other attached the malicious Word document directly to the email. Themes used in both cases were mostly related to invoices or finances. The researchers note that the documents discovered had been created only hours before being distributed in these campaigns. If the user enables macros within the Word documents, PowerShell is used to drop and execute the Emotet payload, which is embedded in the document’s streams. Emotet then performs its ultimate goal of installing additional malicious payloads.

Impact

Steal user information

Indicators of Compromise

MD5

55282b6387a0057e27502d613074c278

SHA-256

4e35e66d898a56184f42674c5bc41d4abe219beabeafb4cbdddf8ae974326839

SHA1

657eccf716280d463f52eb68466e4d355a34ed13

URL

• http[:]//www[.]4celia[.]com/wp-admin/2z8/
• http[:]//capsaciphone[.]com/wp-admin/q07360/
• http[:]//travalogo[.]com/pseovck27kr/est21175/
• http[:]//miracles-of-quran[.]com/css/ny77597/
• http[:]//essay[.]essaytutors[.]net/cgi-bin/mqdm65698/

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders.