Emotet Returns

-


The infamous Emotet botnet has returned. In February 2020, the Emotet botnet, largely made up of compromised WordPress servers, ceased to send spam emails. This period of inactivity has now ended with threat intelligence sources now observing an even large number of URLs and C&C servers than before.


Emotet botnet activity resumed around 15-17 July 2020. That was when the first confirmed emails leading to Emotet infection were first observed. Emotet aims to not only steal information, but also send spam emails using stolen credentials from infected terminals and attempts to spread the malware further.


The typical Emotet infection chain:




Current Emotet documents with embedded macros (as of July 2020):




Media coverage of Emotet since its return:


MSTIC:

https://twitter.com/MsftSecIntel/status/1284206817136926720


Malwarebytes:

https://blog.malwarebytes.com/trojans/2020/07/long-dreaded-emotet-has-returned/ 


Proofpoint:

https://www.proofpoint.com/us/blog/security-briefs/emotet-returns-after-five-month-hiatus 


JPCERT guidance on an Emotet infection:

https://www.jpcert.or.jp/at/2019/at190044.html 



Threat hunting sources for intelligence on Emotet activity:


The No.1 source of reliable Emotet IOCs comes from @Cryptolaemus1

https://twitter.com/Cryptolaemus1


The “Emotet” or “Heodo” tag on MalwareBazaar 

https://bazaar.abuse.ch/browse/tag/Emotet/


The Any.Run “Emotet” trend

https://any.run/malware-trends/emotet


Searching for “Emotet” on OTX Alienvault

https://otx.alienvault.com/browse/pulses?q=Emotet


Querying Emotet on Twitter

https://twitter.com/search?q=Emotet%20or%20%23Emotet&src=typed_query&f=live



The Emotet operators:


CrowdStrike tracks the Emotet operators as ‘MummySpider’ alongside other high-end cybercriminal groups known as WizardSpider (the operators of the TrickBot banking Trojan), LunarSpider (operators of IcedID/BokBot banking Trojan) and DoppelSpider (the operators of DoppelDridex and the DoppelPaymer ransomware). 


MummySpider has developed the Emotet malware for several years now and has worked on it extensively, building a botnet with hundreds of thousands of devices. Since Emotet’s return, it has been observed dropping TrickBot and Qbot (aka Qakbot) as it continues to collaborate with the top-tier malware operators.


Emotet infections often lead to TrickBot being dropped, and eventually the Ryuk ransomware in some cases. However, VMware Carbon Black recently disclosed a new ransomware variant, dubbed Conti, that was observed leveraging TrickBot’s C&C infrastructure. Conti ransomware is a new and sophisticated threat that is operated manually by human adversaries with deep knowledge of network security and system administration. 


MummySpider is only just beginning this new campaign, which is showing signs of it being its largest ever. The Cryptolaemus1 team reported 589KB worth of indicators on 21 July. This paste is the largest number of samples that the researchers have reported in a single day. Amongst these IOCs were some notable owners of compromised sites: the governments of Mongolia and Albania, as well as universities from Indonesia, Nigeria, Mexico, and Vietnam.


Kevin Beaumont (@GossiTheDog on Twitter) and others also identified that something is replacing Emotet payloads with GIFs on compromised websites. It is unknown if this is a white-hat hacker enacting revenge on the Emotet botnet or the operators themselves. The GIFs themselves do not give any clues as to their author.


My previous blog titled ‘The most dangerous malware in the world: Emotet’ is available here.


Stay frosty Blue Team.

 

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

-
Image
After tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often anymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting cybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB, teaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention. Background on Scattered Spider CrowdStrike introduced Scattered Spider in December 2022 and shared an update in January 2023 . These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old school (yet still very effective) social engineering vishing call to get credentials or get the target to download malicious software and provide access. Other tricks Scattered Spider is known for includes multi-factor
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more