Rewterz Threat Alert – Emotet Revival with Spam Emails Around the World

Severity

Medium

Analysis Summary

Emotet is back and targeting different users around the world with it’s tactics. It’s fair to say that Emotet is now targeting almost 66,000 unique emails for more than 30,000 domain names from 385 unique top-level domains (TLDs).

As for the origin of the malicious emails, It came from 3,362 different senders, whose credentials had been stolen. The count for the total number of unique domains reached 1,875, covering a little over 400 TLDs.

At the beginning there was no definitive answer on the payload, only unconfirmed reports that some U.S.-based hosts received Trickbot, a banking trojan turned malware dropper, as a secondary infection dropped by Emotet.

From current observations and spam emails shared with by Cofense and JamesWT, Emotet’s campaign today relies mostly on emails having a financial theme and appearing to come as a reply to a seemingly previous conversation. This was noticed with the following message in English:

Polish and Italian users received a similar message, urging them to take a look at a bill that caused some problems:

In a message likely to a German recipient, the sender claimed there were issues with some documentation and asked the recipient to take a look:

Impact

• Credential theft
• Exposure of sensitive information

Indicators of Compromise

URLs

• http[:]//www[.]biyunhui[.]com/fj/wbTKndf/
• http[:]//www[.]gongdu[.]xin/wp-content/sites/vxjSizeWJoGWVZTLYRXkACmh/
• http[:]//www[.]gcesb[.]com/wp-includes/customize/zUfJervuM/
• http[:]//bondagetrip[.]com/wp-content/y0gm3xxs_hmnw8rq-764161699/
• https[:]//autorepuestosdml[.]com/wp-content/CiloXIptI/
• http[:]//173[.]212[.]203[.]26[:]8080
• https[:]//pep-egypt[.]com/eedy/xx3yspke7_l7jp5-430067348/
• http[:]//pep-egypt[.]com/eedy/xx3yspke7_l7jp5-430067348/
• http[:]//www[.]gcesab[.]com/wp-includes/customize/zUfJervuM/
• http[:]//broadpeakdefense[.]com/fbsgf/McZcBMeM/
• http[:]//danangluxury[.]com/wp-content/uploads/KTgQsblu/
• http[:]//think1[.]com/wp-content/upgrade/2na4-4q5g-751619964/
• https[:]//bondagetrip[.]com/wp-content/y0gm3xxs_hmnw8rq-764161699/
• http[:]//www[.]situsjudimurah[.]com/wp-admin/Q1HZVMVATQ/VjliXWJED
• http[:]//nautcoins[.]com/wp-includes/AcZxFxQ/
• http[:]//autorepuestosdml[.]com/wp-content/CiloXIptI/
• http[:]//lecairtravels[.]com/wp-admin/bXwjcdeg/

Malware Hash (MD5/SHA1/SH256)

• 58cccf82558dfca7263efc5fcd4a5564e98dca436b20c469aab08756b0ba2269
• 63b91a543f51d6eb61bd00c1bd63dd1711795eb0fa388ded2cd5dd87067d30fa
• 7344ae2efd7ab63cde1ef4e751591b18e5ede90f466c080ceaeeda3f8a3555a7
• bf338c7de316e7f886a8731dbf62900431b5968a2d923c016fbd21e929f9bbf2
• 9e71b69aadd4dfbada4ad76ecdf1c775dbf2858240f27add9d7cb305caa7cdb5
• 7c2b60ac2be19bcbe674b05f9d306458323bfec554c26f5f68a13f33efbf3343
• 045c4ab485bd45781234451af0eae62f23abceae375d5434cff37c3e5620f872
• 0210051eff91fe9393d24f213da566d0b06b8ea7796413b5fd27e75125967850
• b16b16119e0f36b7ab63291218c256980f4c743dcf4dee657bbd2540962de150
• 54adc3e06b4a64254ef2cef334894e8d5259543dc6312d6f0f15ee822b73e492
• eee144531839763b15051badbbda9daae38f60c02abaa7794a046f96a68cd10b
• 637b66dcfb65e1bcd5943d4a36bb16b3e493f2eb14a3157a3e603210bcfd9685
• 27941d5b5934712bc254135f489eecc2
• 408cfa20ee4e033e004e2994a156a9b2
• f1ab1fa6d2b93ae55b448b96733ff195

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the link/attachments sent by unknown senders.