• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – CVE-2020-10189 – Zoho Critical Zero-Day Flaw Disclosed
March 7, 2020
Rewterz Threat Advisory – Microsoft Patch Tuesday Fixes 115 Vulnerabilities
March 11, 2020

Rewterz Threat Alert – Emotet Wi-Fi Spreader Upgraded

March 10, 2020

Severity

High

Analysis Summary

A core function of the new package is that instead of bundling the Emotet loader with the spreader, the loader is now downloaded from a server. Previously a stand-alone program, the new Wi-Fi spreader has become a full-fledged module in the Emotet package. While not affecting the functionality of the malware, the changes allow for step-by-step logging and debugging logs from the infected machines. Using a new communications protocol, two PHP POST arguments are sent to provide the aforementioned debugging output. The only notable change to Emotet’s spreader functionality is should the brute-force against the C$ share fail, the spreader attempts to brute-force the ADMIN$ share. As with previous versions of Emotet, services.exe is downloaded from a hard-coded server. This version of services.exe downloads the Emotet binary from the C2. If Emotet is downloaded successfully, services.exe sends “payload downloaded ok” to the C2 before execution.

wifispreader-Picture1-1024x577.png

Impact

Information theft

Indicators of Compromise

IP

  • 69[.]43[.]168[.]245

SHA-256

  • efbfc8500b4af8b39d940668c0dd39452c529ce8d3ead77da3057f1fc7499aef
  • 8a4239737f41b7f1730e6b6fdd2ecc3f1a4862bb6ab17f8a3d5eeba59423a8a0
  • 3c72f2fe57a0a6f1566bcc809b1039fafb483d5cb15efe8a03c3d68d5db2589f

Remediation

Block all threat indicators at your respective controls.

  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.