• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – CVE-2016-1409 – Cisco Products IPv6 Neighbor Discovery Crafted Packet Vulnerability
September 17, 2019
Rewterz Threat Alert – Watchbog – Cryptomining and Lateral Movement
September 17, 2019

Rewterz Threat Alert – Emotet Revival with Spam Emails Around the World

September 17, 2019

Severity

Medium

Analysis Summary

Emotet is back and targeting different users around the world with it’s tactics. It’s fair to say that Emotet is now targeting almost 66,000 unique emails for more than 30,000 domain names from 385 unique top-level domains (TLDs).

As for the origin of the malicious emails, It came from 3,362 different senders, whose credentials had been stolen. The count for the total number of unique domains reached 1,875, covering a little over 400 TLDs.

image-1568704291.png

At the beginning there was no definitive answer on the payload, only unconfirmed reports that some U.S.-based hosts received Trickbot, a banking trojan turned malware dropper, as a secondary infection dropped by Emotet.

From current observations and spam emails shared with by Cofense and JamesWT, Emotet’s campaign today relies mostly on emails having a financial theme and appearing to come as a reply to a seemingly previous conversation. This was noticed with the following message in English:

Emotet-email-sampleEN.png

Polish and Italian users received a similar message, urging them to take a look at a bill that caused some problems:

Emotet-email-sampleIT.png

In a message likely to a German recipient, the sender claimed there were issues with some documentation and asked the recipient to take a look:

Emotet-email-sampleDE.png

Impact

  • Credential theft
  • Exposure of sensitive information

Indicators of Compromise

URLs

  • http[:]//www[.]biyunhui[.]com/fj/wbTKndf/
  • http[:]//www[.]gongdu[.]xin/wp-content/sites/vxjSizeWJoGWVZTLYRXkACmh/
  • http[:]//www[.]gcesb[.]com/wp-includes/customize/zUfJervuM/
  • http[:]//bondagetrip[.]com/wp-content/y0gm3xxs_hmnw8rq-764161699/
  • https[:]//autorepuestosdml[.]com/wp-content/CiloXIptI/
  • http[:]//173[.]212[.]203[.]26[:]8080
  • https[:]//pep-egypt[.]com/eedy/xx3yspke7_l7jp5-430067348/
  • http[:]//pep-egypt[.]com/eedy/xx3yspke7_l7jp5-430067348/
  • http[:]//www[.]gcesab[.]com/wp-includes/customize/zUfJervuM/
  • http[:]//broadpeakdefense[.]com/fbsgf/McZcBMeM/
  • http[:]//danangluxury[.]com/wp-content/uploads/KTgQsblu/
  • http[:]//think1[.]com/wp-content/upgrade/2na4-4q5g-751619964/
  • https[:]//bondagetrip[.]com/wp-content/y0gm3xxs_hmnw8rq-764161699/
  • http[:]//www[.]situsjudimurah[.]com/wp-admin/Q1HZVMVATQ/VjliXWJED
  • http[:]//nautcoins[.]com/wp-includes/AcZxFxQ/
  • http[:]//autorepuestosdml[.]com/wp-content/CiloXIptI/
  • http[:]//lecairtravels[.]com/wp-admin/bXwjcdeg/

Malware Hash (MD5/SHA1/SH256)

  • 58cccf82558dfca7263efc5fcd4a5564e98dca436b20c469aab08756b0ba2269
  • 63b91a543f51d6eb61bd00c1bd63dd1711795eb0fa388ded2cd5dd87067d30fa
  • 7344ae2efd7ab63cde1ef4e751591b18e5ede90f466c080ceaeeda3f8a3555a7
  • bf338c7de316e7f886a8731dbf62900431b5968a2d923c016fbd21e929f9bbf2
  • 9e71b69aadd4dfbada4ad76ecdf1c775dbf2858240f27add9d7cb305caa7cdb5
  • 7c2b60ac2be19bcbe674b05f9d306458323bfec554c26f5f68a13f33efbf3343
  • 045c4ab485bd45781234451af0eae62f23abceae375d5434cff37c3e5620f872
  • 0210051eff91fe9393d24f213da566d0b06b8ea7796413b5fd27e75125967850
  • b16b16119e0f36b7ab63291218c256980f4c743dcf4dee657bbd2540962de150
  • 54adc3e06b4a64254ef2cef334894e8d5259543dc6312d6f0f15ee822b73e492
  • eee144531839763b15051badbbda9daae38f60c02abaa7794a046f96a68cd10b
  • 637b66dcfb65e1bcd5943d4a36bb16b3e493f2eb14a3157a3e603210bcfd9685
  • 27941d5b5934712bc254135f489eecc2
  • 408cfa20ee4e033e004e2994a156a9b2
  • f1ab1fa6d2b93ae55b448b96733ff195

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the link/attachments sent by unknown senders.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.