Rewterz Threat Alert – Emotet Botnet Is Back, Resumes Activity Across Servers around the World
Severity
Medium
Analysis Summary
Command and control (C2) servers for the Emotet botnet appear to have resumed activity and deliver binaries once more. This comes after being inert since the beginning of June.
Although it started as a banking trojan in 2014, Emotet changed its course to becoming a botnet that delivers various malware strains.
Emotet is now one of the top threats, its infrastructure being used to distribute Trickbot, another banking trojan, and then spread the Ryuk ransomware. This combination is dubbed ‘triple threat’ and has affected public administrations in the U.S.
Impact
Exposure of sensitive information
File encryption
Indicators of Compromise
IP(s) / Hostname(s)
104[.]131[.]11[.]150
104[.]131[.]208[.]175
104[.]236[.]151[.]95
142[.]93[.]88[.]16
144[.]139[.]247[.]220
159[.]89[.]179[.]87
162[.]144[.]119[.]216
162[.]243[.]125[.]212
170[.]150[.]11[.]245
176[.]31[.]200[.]130
177[.]242[.]214[.]30
187[.]163[.]180[.]243
195[.]242[.]117[.]231
216[.]98[.]148[.]156
217[.]13[.]106[.]160
31[.]12[.]67[.]62
45[.]123[.]3[.]54
45[.]32[.]158[.]232
46[.]101[.]142[.]115
46[.]105[.]131[.]69
64[.]13[.]225[.]150
69[.]45[.]19[.]145
70[.]32[.]84[.]74
75[.]127[.]14[.]170
91[.]83[.]93[.]103
159[.]65[.]241[.]220
128[.]199[.]78[.]227
216[.]98[.]148[.]136
109[.]104[.]79[.]48
205[.]186[.]154[.]130
69[.]163[.]33[.]82
43[.]229[.]62[.]186
72[.]47[.]248[.]48
216[.]98[.]148[.]157
88[.]215[.]2[.]29
213[.]120[.]104[.]180
200[.]57[.]102[.]71
190[.]113[.]233[.]4
186[.]15[.]83[.]52
190[.]13[.]211[.]174
187[.]188[.]166[.]192
190[.]117[.]206[.]153
125[.]99[.]61[.]162
200[.]32[.]61[.]210
187[.]242[.]204[.]142
104[.]131[.]58[.]132
128[.]199[.]78[.]227
182[.]180[.]92[.]102
125[.]99[.]106[.]226
190[.]186[.]203[.]55
181[.]175[.]142[.]212
189[.]209[.]217[.]49
175[.]100[.]138[.]82
189[.]213[.]62[.]223
182[.]176[.]132[.]213
182[.]184[.]72[.]199
177[.]246[.]193[.]139
41[.]220[.]119[.]246
Remediation
Block all threat indicators at your respective controls.
Always be suspicious about emails sent by unknown senders.
Never click on the link/attachments sent by unknown senders.