Severity

High

Analysis Summary

Emotet recently resumed spear phishing attacks, incorporating the news about NSA whistleblower Edward Snowden’s new book Permanent Record as a lure. The memoir is already on Amazon’s bestseller list. Criminals tend to generate monetary benefits from such newsworthy events for scams and other social engineering purposes. In this particular case, Emotet authors are supposedly offering Snowden’s memoir as a Word attachment. Emails of this phishing campaign were found in English, Italian, Spanish, German and French, as shown below.

When the document is opened, a fake message appears that “Word hasn’t been activated”. When victims click on “Enable Content” appearing with a security warning, a malicious macro code is executed.

The macro triggers a PowerShell command that will retrieve the Emotet malware binary from a compromised WordPress site. After infection, the machine will attempt to reach out to one of Emotet’s many C2s.

Impact

• Credential Theft
• Financial Loss
• Loss of Information

Indicators of Compromise

IP(s) / Hostname(s)

• 178[.]32[.]255[.]133
• 133[.]130[.]73[.]156
• 62[.]75[.]171[.]248

URLs

• http[:]//62[.]75[.]171[.]248[:]7080/chunk/window/ringin/
• http[:]//www[.]cia[.]com[.]py/wp-content/uploads/2019/09/XNFerERN/

Malware Hash (MD5/SHA1/SH256)

• 757b35d20f05b98f2c51fc7a9b6a57ccbbd428576563d3aff7e0c6b70d544975
• 8c540b62bcd2ac90364dd56eb1bb6e46
• 5ab7a5cf290ebf52647771f893a2fa322a9b1891e5a5e54811c500dd290c8477
• b960f1afb95b6f0e53b3fcec2aa54a98

Remediation

• Block the threat indicators at their respective controls.
• Do not download email attachments coming from untrusted sources.
• Do not enable macros/content unless extremely necessary.
• Always scan all files before execution.