Rewterz Threat Alert – Linux Rekoobe Malware is Back
January 22, 2020Rewterz Threat Advisory – CVE-2020-3143 – Cisco TelePresence Collaboration Endpoint
January 23, 2020Rewterz Threat Alert – Linux Rekoobe Malware is Back
January 22, 2020Rewterz Threat Advisory – CVE-2020-3143 – Cisco TelePresence Collaboration Endpoint
January 23, 2020Severity
High
Analysis Summary
There has been a recent increase in Emotet spam activity, which Symantec researchers have analyzed. The spikes in activity were detected starting in September 2019 and continuing to rise through November 2019. Two types of distribution methods were found in use based on analysis of the spam emails. The first used a link within the body of the email that led to the download of a Word document. The other attached the malicious Word document directly to the email. Themes used in both cases were mostly related to invoices or finances. The researchers note that the documents discovered had been created only hours before being distributed in these campaigns. If the user enables macros within the Word documents, PowerShell is used to drop and execute the Emotet payload, which is embedded in the document’s streams. Emotet then performs its ultimate goal of installing additional malicious payloads.
Impact
Steal user information
Indicators of Compromise
MD5
55282b6387a0057e27502d613074c278
SHA-256
4e35e66d898a56184f42674c5bc41d4abe219beabeafb4cbdddf8ae974326839
SHA1
657eccf716280d463f52eb68466e4d355a34ed13
URL
- http[:]//www[.]4celia[.]com/wp-admin/2z8/
- http[:]//capsaciphone[.]com/wp-admin/q07360/
- http[:]//travalogo[.]com/pseovck27kr/est21175/
- http[:]//miracles-of-quran[.]com/css/ny77597/
- http[:]//essay[.]essaytutors[.]net/cgi-bin/mqdm65698/
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.