Emotet is back: botnet springs back to life with new spam campaign

Credit to Author: Threat Intelligence Team| Date: Mon, 16 Sep 2019 17:04:53 +0000

After a fairly long hiatus that lasted nearly four months, Emotet is back with an active spam distribution campaign. For a few weeks, there were signs that the botnet was setting its gears in motion again, as we observed command and control (C2) server activity. But this morning, the Trojan started pumping out spam, a clear indication it’s ready to jump back into action.

The malicious emails started in the wee hours of Monday morning, with templates spotted in German, Polish, and Italian. Our Threat Intelligence team has also captured phishing samples sent in English.

Victims are lured to open the attached document and enable the macro to kick-start the infection process.

The PowerShell command triggered by the macro will attempt to download Emotet from compromised sites, often running the WordPress CMS.

Once installed on the endpoint, Emotet attempts to spread laterally, in addition to stealing passwords from installed applications. Perhaps the biggest threat, though, is that Emotet serves as a delivery vector for more dangerous payloads, such as ransomware.

Compromised machines can lay in a dormant state until operators decide to hand off the job to other criminal groups that will attempt to extort large sums of money from their victims. In the past, we’ve seen the infamous Ryuk ransomware being deployed that way.

While Emotet is typically focused on infecting organizations, Malwarebytes business and individual customers are already protected against this campaign, thanks to our signature-less anti-exploit technology. As always, we recommend users be cautious when opening emails with attachments, even if they appear to come from acquaintances.

As this campaign is not even a day old, we don’t yet know the impact on organizations and other users. We will continue to update this post as we learn more throughout the day. In the meantime, warn your coworkers, friends, and family to be wary of emails disguised as invoices or any other “phishy” instances.

Indicators of Compromise

Malicious Word document

eee144531839763b15051badbbda9daae38f60c02abaa7794a046f96a68cd10b

Hacked WordPress websites hosting the Emotet binary

danangluxury[.]com/wp-content/uploads/KTgQsblu/
gcesab[.]com/wp-includes/customize/zUfJervuM/
autorepuestosdml[.]com/wp-content/CiloXIptI/

Emotet binary

8f05aa95aa7b2146ee490c2305a2450e58ce1d1e3103e6f9019767e5568f233e

Post-infection traffic

179.12.170[.]88:8080/results/tlb/

The post Emotet is back: botnet springs back to life with new spam campaign appeared first on Malwarebytes Labs.

https://blog.malwarebytes.com/feed/

Leave a Reply