After a break of five months Emotet is back with a vengeance with a new and massive malspam campaign – detected on the 17th of July – that is affecting various countries around the world.
The Emotet, born as a banking trojan, which appeared in the wild for the first time in 2014, has evolved over time to become a true multi-function criminal framework.
Before its temporary disappearance, it certainly represented one of the main threats in 2018, in 2019 and in the first months of 2020 at the very beginning of the COVID-19 pandemic.
The ongoing campaign
As reported by Malwarebytes researchers, Emotet botnets have started to carry malspam campaigns, using the usual techniques already tried in the past.
In this case, e-mail samples were found – also delivered as responses in existing communications – containing attachments or URL links referring to malicious Microsoft Office files.
In any case, the downloaded document contains a macro, with highly obfuscated code, which, once enabled, retrieves the Emotet binary file via Powershell (via Windows Management Instrumentation, WMI) from the first available remote server, identified among those present in a list of compromised websites.
The payload, once executed, after sending a confirmation to the relevant command and control server, can wait several days before taking further actions or installing other forms of malware (such as the Trickbot trojan and Ryuk ransomware) on the victim’s computer.
How to protect yourself
Since, as is well known, one of the Emotet modules allows the trojan to steal also email credentials and then spread through infected messages from users present among our contacts, to avoid becoming an additional propagation vector ourselves, it is important to think about protecting also each of our accounts, using different passwords for each profile, activating if possible two-factor authentication mechanisms and sending alerting messages in case of abnormal access.
In any case, the recommendations that are usually suggested to fight phishing are also useful for this purpose:
- Always exercise the utmost caution when receiving e-mails of suspicious origin or from unknown senders;
- avoid opening attachments and enabling the execution of Microsoft Office macros, even if they are apparently legitimate.
Below are the IoCs related to the current campaign and published by Mawarebytes researchers.
Hash of malicious documents
- 5d2c6110f2ea87a6b7fe9256affbac0eebdeee18081d59e05df4b4a17417492b
- 4fdff0ebd50d37a32eb5c3a1b2009cb9764e679d8ee95ca7551815b7e8406206
- bb5602ea74258ccad36d28f6a5315d07fbeb442a02d0c91b39ca6ba0a0fe71a2
- 6d86e68c160b25d25765a4f1a2f8f1f032b2d5cb0d1f39d1d504eeaa69492de0
- 18fab1420a6a968e88909793b3d87af2e8e1e968bf7279d981276a2aa8aa678e
- d5213404d4cc40494af138f8051b01ec3f1856b72de3e24f75aca8c024783e89
URL of compromised sites
- elseelektrikci [.] com
- rviradeals [.] com
- skenglish [.] com
- packersmoversmohali [.] com
- tri-virgola [.] com
- ramukakaonline [.] com
- shubhinfoways [.] com
- test2.cxyw [.] net
- sustainableandorganicgarments [.]
- staging .icuskin [.] com
- fivestarcleanerstx [.] com
- bhandaraexpress [.] com
- crm.shaayanpharma [.] com
- zazabajouk [.] com
- e2e-solution [.] com
- topgameus [.] com
- cpads [.] net
- tyres2c [.] com
- thesuperservice [.] com
- ssuse [.] com
Binary files
- 454d3f0170a0aa750253d4bf697f9fa21b8d93c8ca6625c935b30e4b18835374
- d51073eef56acf21e741c827b161c3925d9b45f701a9598ced41893c723ace23
- 1368a26328c15b6d204aef2b7d493738c83fced23f6b49fd8575944b94bcfbf4
- 7814f49b3d58b0633ea0a2cb44def98673aad07bd99744ec415534606a9ef314
- f04388ca778ec86e83bf41aa6bfa1b163f42e916d0fbab7e50eaadc8b47caa50
IP addresses of command and control servers
- 178.210.171 [.] 15
- 109.117.53 [.] 230
- 212.51.142 [.] 238
- 190.160.53 [.] 126